Contents
Section 1: Introduction 3
Section 2: Objectives and Responsibilities 3
2.1 Objectives of the CR Department 3
2.2 Auditing Standards 3
Section 3: Nature of Audits and Audit Selection 3
3.1 Nature of Audits 3
3.2 Audit Selection 3
3.2.1 High Risk……………………………………………………………………………..4
3.2.2 Medium Risk…………………………………………………………………………4
3.2.1 Low Risk……………………………………………………………………………..4
Section 4: Audit Development & Process 4
4.1 Pre-Audit Discussion 5
4.2 Initial Research and Pre-Audit Preparation 5
Section 5: Audit Methodology and Procedures 5
5.1 Fieldwork and Work Papers 5
5.3 Retention of Records 5
5.4 Audit Sampling 5
5.4.1 OIG Claims Review 6
5.4.2 Statistical Sampling 6
5.4.3 Non-statistical Sampling 6
5.4.4 Sampling Definitions & Plans 6
Section 6: Reporting 7
Section 7: Communication 7
7.1 Exit Conference 7
7.2 Monitoring 7
Addendum A: Financial Audits 8
Addendum B: Medical Services 10
Addendum C: Privacy and Security 12
Addendum D: Research Audits 13
Addendum E: Audit Checklist 15
Addendum F: Audit Report Template 16
Corporate Responsibility’s
Auditing and Monitoring
Standard Operation Procedure
Section 1: Introduction
The Standard Operation Procedures Manual is a reference tool for the Corporate Responsibility (CR) department in the performance of its duties under established standards. The Regional Health Compliance & Audit Committee of the Board of Trustees shall review and approve the annual Audit Plan, the results of audits as well as related recommendations for improvement in accordance with the Corporate Compliance Plan, Code of Conduct and the Articles of Incorporation for Regional Health.
Section 2: Objectives and Responsibilities
2.1 Objectives of the CR Department
The CR department provides an independent analysis through auditing and monitoring performed based on the following objectives:
a) To determine activities are in compliance with system policies, procedures and goals, contractual obligations, state and federal laws, regulations; as well as, ethical business practices.
b) To recommend improvements in management controls, practices, and procedures to mitigate risk.
c) To evaluate the accuracy, timeliness, and effectiveness of information supplied to management and external organizations.
2.2 Auditing Standards
Audits are conducted according to generally accepted standards; as well as, state and federal regulations using audit programs, techniques, and procedures necessary in the circumstances specific to each assigned area (e.g., finance, coding, privacy, information security, or research).
Section 3: Nature of Audits and Audit Selection
3.1 Nature of Audits
Audits performed by the CR department are grouped into the following categories:
a) Financial (Addendum A)
b) Medical Services for Documentation and Coding (Addendum B)
c) Privacy and security (Addendum C)
d) Research (Addendum D)
3.2 Audit Selection
The CR department establishes audit activities from several areas: the Office of Inspector General (OIG) work plan, risk assessments, requests from a facility/department, trends in privacy issues, etc. The level of risk is established based on the following guidelines:
3.2.1 High Risk
a) Potential noncompliance to state or federal regulations
b) Government agency communication/correspondence
c) Allegation of abuse and/or neglect to a patient
d) Noncompliance to standards of care and/or quality indicators
e) Breach of protected health information (PHI)
f) Potential severe penalties
g) Cash loss and/or dollar value to include non-routine overpayments
h) Hotline calls and/or trends identified with a potential violation of code of conduct, policy and/or regulations.
i) Identified materiality with a conflict of interest
j) Documentation and/or coding error rate less than 80% accurate
k) Overpayments greater than $100,000
l) Reputation capital
3.2.2. Medium Risk
m) Exit interviews alleging noncompliance to items in High Risk category
n) Potential violations of policy
o) Documentation and/or coding error rate less than 90%
p) Known problem areas based on nature of the problem, previous audits and outcomes.
q) Turnover of key personnel, addition of new functions, or significant increases in activities.
r) Management concerns
s) Significant lapse of time since a high risk area was audited
3.2.3 Low Risk
t) Routine overpayments less than $25,000
u) Monitoring results based on previous audits.
v) Release of one individual record containing protected health information with limited risk of further disclosure
Section 4: Audit Development & Process
4.1 Pre-Audit Discussion
The Vice President of CR or designee will assign audits appropriately to CR staff within their area of expertise. Prior to the audit or review, members of the CR team, including management and the assigned CR Auditor will define the objectives, general scope and background information for the audit and record this information on the appropriate document. The objective defines the purpose of the audit, while the scope defines the timeframe, population, and methodology (statistical or non-statistical) needed for the audit. The background provides any information involved that identified the issue, including any person(s) and the regulations pertaining to the issue, if applicable.
The CR Auditor will then initiate the Audit Checklist (Addendum E). It is also their responsibility to initiate and maintain contact with the individuals from the facility/department(s) being audited. Effective communication at the beginning of the audit can materially influence the atmosphere in which the audit is conducted.
4.2 Initial Research and Pre-Audit Preparation
The CR auditor will collect and consider the following as he/she develops the audit:
a) Previous internal and external audits and/or reports.
b) Questionnaires or surveys
c) Policies and procedures
d) Contracts and/or Business Associate Agreements
e) Regulations, statutes, bylaws
f) Subject matter experts, e.g. coders, auditors, technical experts and/or legal
g) Research seminar materials or handbooks
h) Disclosed conflicts of interest
Section 5: Audit Methodology and Procedures
5.1 Fieldwork and Work Papers
Fieldwork is the process of gathering information for measurement and evaluation.
Work papers document the work the CR auditor has prepared and should be complete, accurate, clear, legible, logical and support observations, testing, conclusions and recommendations.
Work papers will be maintained in an electronic format and filed in the subdirectory created and titled for the audit project on the CR Intranet Hub page. The naming file convention for the work papers is as follows: facility, mmddyyyy, “file description” (e.g., OIG Correspondence). All created documents should have the electronic file name as a footer at the bottom of the paper.
Information that is protected by privacy laws should not be included in the work papers. Personnel records and student records are protected by privacy laws. When these types of records are reviewed in an audit; names, social security numbers, and other identifying information should be expunged from the work papers.
Avoid including multiple choices of an item in the work papers or any item that is not necessary to support the work performed and the findings and conclusions in the audit report.
5.2 Attorney-Client Privilege
The attorney-client privilege may be invoked and directed by internal or external legal counsel.
The definition of A/C privilege is to protect the privacy of the information exchanged between an attorney and a client. Its objective is to encourage open and honest conversations that enable an attorney to provide the best possible representation to the client.
5.3 Retention of Records
All correspondence, memoranda, and work papers will be maintained in accordance with the Regional Health Document Retention Policy COC 8217-21. A permanent electronic copy of all audits will be maintained in the appropriate folder on the CR Hub Page.
5.4 Audit Sampling
The type of sampling used is determined by the audit.
5.4.1 OIG Claims Review
The OIG Claims Review procedures require a Discovery Sample of 50 sampling units to be randomly selected for review. If the net financial error rate of those 50 sampling units equals or exceeds 5%, then a Full Sample must be reviewed and a Systems Review must be conducted. The Full Sample must include a sufficient number of sampling units to yield results that estimate the overpayment in the population within a 90% confidence and 25% precision level.
5.4.2 Statistical Sampling
The objective of statistical sampling is to employ random selection procedures to eliminate the risk of bias and to permit quantification of sampling confidence. Statistical sampling methods should be used when any of the following criteria apply:
Cost/benefit analyses support the additional costs and time required.
The use of the government approved RAT-STATS statistical software designed to assist in the selection of random samples and evaluating the audit results.
Risk of a sampling error must be quantified.
5.4.3 Non-statistical Sampling
The objective of non-statistical sampling, also referred to as, a snapshot audit, is to review a focused area that is non-statistical or judgment sampling.
a) If a system has weak controls that cannot be relied upon, it would also be wasteful to spend a great deal of time performing extensive substantive tests.
b) The audit objectives are met by a non-statistical sample.
c) The population has no variability.
5.4.4 Sampling Definitions & Plans
Attributes: To estimate the attributes or characteristics of a population--obtaining "yes or no" answers--with a measurable degree of reliability.
Variables: To estimate the value of a population--dollars, weights, time spans, or other variables--with a measurable degree of reliability.
Discovery: To identify, through sampling, at least one suspected item and discontinue sampling when the item is identified.
Judgment: To use samples for the purpose of obtaining information that need not be attributed to the entire population with measured reliability.
In deciding which selection technique or sampling plan to use, the auditor should consider these applications:
a) Random Numbers: Each of the items in the population is, or can readily be, numbered.
b) Interval: Items are not or cannot be numbered or where random sampling would be excessively expensive.
c) Stratification: The population is composed of items that vary considerably in value or in other characteristics of interest.
Section 6: Reporting
The Audit Report (Addendum F) will be completed after the audit examination fieldwork is finished. The audit report includes:
a) A cover page with the title, fiscal year, date of report, and distribution list (template located on the CR Intranet Hub.
b) Subsequent pages that contain the objectives, scope, background and findings/recommendation summary.
c) Individual findings that address all recommendations to the finding.
d) Conclusion.
The Audit Report will be reviewed with the Vice President of CR or designee before distribution to pertinent individuals and/or review at the exit conference. The Audit Report should have the following characteristics:
a) Accuracy: the Audit Report should be completely factual with supportive references whenever possible. Statements of fact must carry the assurance the CR auditor personally observed or validated each fact in the report.
b) Clarity: the Audit Report should accurately express ideas that result in a thorough understanding of that idea by the reader.
c) Conciseness: the Audit Report should eliminate anything that is superfluous, irrelevant, or immaterial.
d) Tone: the Audit Report should have a positive tone and written courteously. Negative situations presented in a positive manner usually produce positive results.
e) Tense: the Audit Report should be written in the past tense.
Section 7: Communication
7.1 Exit Conference
The Exit Conference is intended to formally present all of the audit findings and recommendations to the Management of the audited department/facility. Management should carefully review each finding to determine the accuracy of the facts presented. An agreement should be reached to the facts presented and a clear understanding of the recommendations as well as follow-up responsibility.
Audit findings will be presented formally in the audit report.
7.2 Monitoring
The CR department will conduct follow-up monitoring on the recommendations and/or corrective action plans made for each finding. The nature of the follow-up is dictated by the seriousness and complexity of the deficiencies noted and as appropriate, will be report to executive management.
Corporate Responsibility Audit Manual
Addendum A
Financial Audits
Items for potential review: The efficiency and effectiveness of all operations associated with the audit issue may include a review of the following:
1) Departmental fiscal and operational procedures,
2) Controls and responsible recording of activities in such areas as, but not limited to:
- the receipt, recording, deposit, and security over all cash receipts,
- the write-off allowance of patient charges,
- the procurement, receipt and payment of inventory and supplies,
- interfaces between systems, and
- the accuracy of internal and external reports.
3) Contracts with external entities and organizations
4) Security and control of equipment and facilities,
5) Recommendations and implementation from prior audits,
6) Compliance with system policies and procedures.
Approach to test and evaluate controls and procedures: CR will review all pertinent information provided, including policies and procedures; interview necessary personnel; and verify procedures.
Testing procedures are designed to verify the control’s existence and operational effectiveness.
The following table provides a summary of the types of tests that may be employed to verify the control environment:
Audit stage / Type of procedure / Manual methods of gathering evidence include:Control testing / Tests of control / Observation, inspection, inquiry, re-performance and application as prescribed by policies, procedures, rules, regulations and sound business practice. (SAS 1, Section 320.55)
Substantive testing / Tests of detail / Transaction testing, physical examination, inquiry of employees, recalculation, confirmation, vouching, cut-off test.
Analytical procedure / Reasonableness test, ratio analysis, scanning, roll-forward procedure, comparison, benchmarking.
Flowcharts:
A flowchart is a method for documenting and understanding the flow of a system and for identifying its control points. It is a pictorial description of how transactions flow through a system. It visually communicates procedures and controls and the sequence in which they occur.
Processes can be easily analyzed for appropriate internal controls by documenting activities chronically. The following guidelines should be followed in preparing flowcharts.
1) Prepare or update a flowchart for each audit, as applicable.
2) Use appropriate design and flowchart symbols for the activity being analyzed.
3) Identify and document control points and respective sub-routines.