university of toledo “profile of an audit service” · 2018-07-06 · changing regulatory...

2018 -- 2019 Internal Audit and Compliance Department

Internal Audit and Compliance Department

University of Toledo

“Profile of an Audit Service”

2018 -- 2019


Welcome to the 2018 -- 2019 version of Profile of an Audit Service. This brochure is intended to provide a comprehensive summary of UT's Internal Audit and Compliance function for those of you that are new to UT or are unfamiliar with the work we do every day. If I had to condense the nature of our work in a few words, these are what I would choose. The University of Toledo Internal Audit and Compliance department …

provides an independent and objective perspective

functions as an assurance and consulting activity

adds value and improves the University’s operations

helps the University to accomplish its objectives

brings a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance

MISSION STATEMENT “The University of Toledo’s Internal Audit and Compliance department is committed to the University’s goals of improving the human condition in the forms of prosperity, personal fulfillment, longevity, health, and societal participation. We operate on a fluid, flexible framework that will enable us to adjust to whatever the future may bring to higher education and health care. As such, we must continue to deliver on our commitments to our internal and external stakeholders, and staying true to our guiding principles. We are proud of our role in helping the University achieve and maintain its mission and vision, and look forward to any future opportunities to serve.” We believe that the content of the Profile of an Audit Service will demonstrate how we provide value and service to the University every day. If you have any questions or need additional information about our services, please feel free to contact me, or any member of the team, at any time. Thank you for your time and interest! David Cutri, CPA, CISA, CIA (Dave) Executive Director of Internal Audit and Chief Compliance Officer University of Toledo (419) 530-8718 [email protected]

mailto:[email protected]


TABLE OF CONTENTS

Team Profile …………………………………………………………………….…....... “Lines of Business” ……………………………………………………….................... Internal Audit ……………………………………………………………………….…… Institutional Compliance ……………………………………………………………….. UTMC Compliance and Privacy ……………………………………………………… A Word about HIPAA, FERPA, and IT Security ………………………………..…… Intercollegiate Athletics ……………………………………………………..……….. Clery Act/Campus Safety Compliance ………………………………………………. State Authorization and Professional Licensure Disclosure ………………………. Americans with Disabilities Act …………………………………………………….… Student Disability Services ………………………………………………………….. Long-Range Plan …………………………………………………………………...…. Recent Key Projects ………………………………………………………………..… Required Communications to the Board Of Trustees ……………………..…..…… Our Website ……………………………………………………………………….…... Fraud, Waste, and Abuse ……………………………………….…………………… Anonymous Reporting Line ……………………………...………………………….. Opportunities and Challenges Ahead …………………………........................……

4

6

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

4


MEET THE TEAM: INTERNAL AUDIT AND COMPLIANCE

DAVID CUTRI EXEC. DIR. INTERNAL AUDIT AND CHIEF COMPLIANCE OFFICER

CPA, CISA, CIA

MBA, Case Western Reserve

Six Sigma Black Belt

Adjunct UT Faculty

SUE HOCHBERG DIRECTOR, STATE AUTHORIZATION

RN and JD

UT director of online programs

ADA coordinator, City of Toledo

Professional licensure disclosure

STEPHANIE BRENDLE CLINICAL RESEARCH TRIALS COMPLIANCE OFFICER

Certified Professional Coder

Medical Assistant

2 years UTP compliance officer

6 years non-UT experience, incuding ProMedica and Mercy

LYNN HUTT DIR., UTMC COMPLIANCE & UNIVERSITY PRIVACY OFFICER

Cert. in Healthcare Compliance

12 years UT experience

11 years with ProMedica and Auditor Of State

THOMAS CRUMLEY IT AUDITOR

9 years UT experience with Audit, Budget, Hospital Finance

30+ years data mining and analysis techniques in top 500 corporations

BRIAN LUTZ ASSOCIATE A.D. – COMPLIANCE

MS, Sports Management

BS Criminal Justice

13 years UT experience

15 years compliance experience with West Virginia, Kansas State

SUSAN EDINGER SENIOR AUDITOR

CPA

2 years of experience, PwC

2 years of experience in pension consulting

14 years, Perrysburg schools

ELLIOTT NICKESON CLERY COMPLIANCE OFFICER

PhD Candidate

Dolores Stafford/Clery Trained

4 years, UT Registrar and Admission offices

Student Conduct, Title IX Boards

U.S. Army National Guard

DIANE EISEL ASSISTANT DIRECTOR, INTERNAL AUDIT

CPA, 9 years UT experience

30+ years public accounting & auditing experience with The Andersons & KPMG in OH and IN

C’SHALLA PARKER UTMC COMPLIANCE OFFCER

RN MSN

10 years UTMC experience

Ambulatory director & clinic mgr.

Section 1557 civil rights officer

AMY GROSS PRIVACY OFFICER

RN, MAC

MA, Counseling

6 years UT Healthcare Informatics

11 years ProMedica HIM and Audit

KENNETH SCHANK ATHLETICS COMPLIANCE OFFICER

MS, Sports Management

6 years, Big East Conference

Former Trustee, UT Alumni Association

5


MEET THE TEAM: STUDENT DISABILITY SERVICES

ENJIE HALL DIRECTOR, STUDENT DISABILITY SERVICES

Licensed Professional Counselor (PC)

8 years disability services, Ohio State University

UT ADA Compliance Officer

University Behavior Intervention Team (UBIT)

Committee for Diversity and Inclusion (AHEAD)

TERRI MILLER ACCOMMODATION SPECIALIST, NOTETAKING

Masters Liberal Studies (Disability Studies)

15+ years UT experience

Diversity and LGBT credentialing

UT experience in contracting, supply chain

Notary Public

DEBBIE ARBOGAST ACCESSIBILITY SPECIALIST

Masters in Liberal Studies (Disability Studies)


Member of AHEAD

Member of the Michigan Adaptive Sports Association

JOHN SATKOWSKI ACCOMMODATION SPECIALIST, ETEXT

Bachelors of Education

12 years in Primary and Secondary Education

Member of Project Healing Waters and Fishing Has No Boundaries

UT Diversity and Inclusion Trainer

LAURA BROWN ACCOMMODATION SPECIALIST, COMPLIANCE

Bachelor of Arts

5 years disabilities experience, Triad Residential Solutions

Experience in UT College Of Business and Innovation

Notary Public

JANAE WELBORN TRANSCRIBER

Bachelors of Science

Experience in UT College of Engineering

Higher Learning Commission Self-Study Committee

UT Diversity and Inclusion Trainer

JORDAN FUNK ACCESSIBILITY SPECIALIST

Masters of Education in Higher Education Administration

3 years of experience in primary, secondary, and higher education

Member of AHEAD

LISA YOST ASS’T DIR., STUDENT DISABILITY SERVICES

PhD Candidate

Masters Liberal Studies (Disability Studies)


Member of AHEAD

Member of the Admissions Appeals Committee

6


“LINES OF BUSINESS”: INTERNAL AUDITING The University of Toledo considers its internal audit function to be an independent, objective assurance and consulting activity that is designed to add value and improve the University’s operations. We help the University to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance. The scope of our activities can be classified as follows:

Effectiveness and efficiency of operations

Reliability of financial reporting and adequacy of internal controls

Compliance with applicable laws and regulations. Our work in this area is performed primarily by the Institutional Compliance function, which is discussed elsewhere in this Profile.

There are over 200 high- and medium-risk business processes in the academic and clinical enterprises of the University. We attempt to audit each of these processes at least once during any consecutive five-year span of time. We work collaboratively with our customers (process owners within each business unit) to develop an audit strategy that addresses the highest-impact areas of their business. Following are the general steps in an internal audit:

1. Work with the customer to identify the 3 – 5 business objectives of their organization.

2. For each of the above business objectives, work with the customer to identify the

3 – 5 business risks/barriers they face in accomplishing success in these areas.

3. For each of the above business risks, work with the customer to identify the 3 –5 internal controls (policies, procedures, activities) in place that minimize the risks from occurring.

4. Document/Summarize the current process.

5. Determine whether sufficient controls are in place to address the key business

risks.

6. Perform independent testing of transactions to confirm that the internal controls are functioning as intended by management.

7. Determine opportunities for improvement due to lack of internal or ineffective

controls.

8. Recommend process improvements and obtain action plans from management.

9. Summarize all observations, both positive and constructive, in a final report.

10. Follow up on the status of corrective action taken during the original audit. Re-test transactions, if necessary.

7


INSTITUTIONAL COMPLIANCE A significant part of our work is to determine UT’s level of compliance with applicable laws and regulations. The Institutional Compliance function is the University’s central source for evaluating our success in this area. The University is subject to over 200 Federal and State laws for which they must comply, in addition to numerous policies that align with these laws. The University has a network of compliance officers in the following areas that support these efforts. Certain of these compliance officers report organizationally through the Internal Audit and Compliance department, others report organizationally through these various UT business units:

University of Toledo Medical Center

Intercollegiate Athletics

Americans with Disabilities Act

Clery Act

Title IX

State Authorization

Contract Compliance

Capital Projects

Facilities Compliance

Joint Commission

Labor Relations

Loan Compliance

Research Compliance The Institutional Compliance function works with these officers and their business unit leaders to execute a standard program of activities. This program is intended to provide senior leadership and the Board with assurance that UT policies and procedures are aligned with applicable laws and regulations, and that they are being complied with. These activities include:

Ensuring that all laws and regulations to which UT is accountable are supported by a current and complete set of University policies

Ensuring that all University policies are supported by detailed procedures that are current and customized by the applicable operating departments

Confirming that the operating departments have current and active methods in place to assess the level of compliance with these procedures/internal controls

Developing action plans to address identified gaps in internal controls, or gaps in compliance with internal controls

Drafting regular status reporting (“white papers”) of the various compliance environments

Alerting senior management and the Board promptly when there are barriers to implementing improvements due to budgetary issues, organizational issues, etc.

8


UTMC COMPLIANCE AND PRIVACY UTMC Compliance Program: The UTMC Healthcare Compliance function is intended to provide the tools and expertise for ethical, compliant behavior to be a standard part of the University of Toledo’s clinical enterprise operations. Healthcare has become much more complex in recent years due to an increasing numbers of laws and regulations that apply to our operations, impacting how we deliver care, how we are reimbursed for services provided, and the transparency of our operations. The UT healthcare compliance program is a dynamic, progressive program that is intended to meet the changing regulatory landscape. The healthcare compliance program is accountable to both the Finance and Audit and Clinical Affairs Committees of the UT Board of Trustees. The healthcare compliance program covers faculty, staff, house staff, students, volunteers, contractors, and agents participating in the delivery of health care on behalf of UTMC. Read more on the UT Healthcare Compliance website: http://www.utoledo.edu/offices/compliance/index.html The most recent additions to the UTMC Compliance portfolio include clinical trials and the Ryan White (infectious diseases) program. We continue to serve our various stakeholders well in these areas, ensuring that we our meeting our legal obligations to Federal and State regulatory bodies and accrediting commission. Information Security: Information security is broad reaching. For guidance related to compliance with any of the following, contact the appropriate unit on the IT Security Services webpage: the HIPAA Security Rule, the Medical Center IT Security Department (IT) the Main Campus IT Security Department, Guidance for Lost/ Stolen Mobile Device and/or Media, Secure Email Guidelines, Information Technology Security and Privacy Update, Unified UT Enterprise Password Standard, Security Awareness, &/or Training and Education. Privacy Office - Health Information Portability and Accountability Act (HIPAA): UT and UTMC are committed to protecting the medical, personal, and sensitive information about its patients. In health care, the doctor-patient relationship is built on trust and confidentiality. This trust is essential to obtain accurate health information from patients and critical to effectively treat patients. While privacy and confidentiality have always been a priority for health care providers, it has heightened importance in this era of electronic information, with increased speed of information flow and the risks associated with protecting this information. An increasing number of technological solutions have been implemented at UT and UTMC to protect health care information. However, the key to ensuring that this information remains private and confidential is the team work of UTMC and UTMC faculty, staff, students, postdocs, and volunteers. UT’s and UTMC’s efforts to protect patient privacy and confidentiality are supported by federal and state laws. Read more on the Privacy Office website: http://www.utoledo.edu/offices/compliance/index.html

http://www.utoledo.edu/offices/compliance/index.html

http://www.utoledo.edu/offices/compliance/index.html

9


A WORD ABOUT HIPAA, FERPA, AND INFORMATION SECURITY UT has a duty to comply with all Federal and State laws and regulations, as well as University policy. Among these are the Health Information Portability and Accountability Act (HIPAA), the Family Education Rights and Privacy Act (FERPA), and regulations pertaining to privacy of student and patient data. Internal Audit and Compliance educates all employees on these topics at new hire orientation, and through various forms of training during an employee’s career. Below is a summary of the rights and obligations of all UT employees in these areas. HIPAA HIPAA, also known as Administrative Simplification, has been called the most sweeping legislation to affect the healthcare industry in over 30 years. Among HIPAA’s provisions is the protection and confidential handling of protected health information. The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. HITECH addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. https://www.utoledo.edu/policies/administration/compliance/pdfs/3364-15-01%20%20Confidential%20patient%20information%20under%20HIPAA.pdf FERPA A student’s personal information and academic records are protected under FERPA. FERPA allows students to inspect and review their educational records, amend them when appropriate, and have control over the disclosure of information from those records. Directory information may be disclosed by UT, as well as other universities. Directory information includes the student’s name, addresses, telephone number, and major, year in school, dates of attendance at the university, and full- or part-time status. This information may be disclosed, unless the student has specifically requested the information not be released. For policy information, visit: https://www.utoledo.edu/policies/academic/undergraduate/pdfs/3364-71-15%20%20Confidentiality%20of%20student%20records.pdf https://www.utoledo.edu/policieshttps://www.utoledo.edu/policies/academic/college_of_medicine/pdfs/Student%20Records%20FERPA%203364-81-04-009-01.pdf Information Security UT information systems and the data these systems contain are a university resource of significant importance and value. Much of the data is confidential and sensitive, and therefore, must be safeguarded from unauthorized use and access. The university’s policies and procedures serve to ensure that system data is appropriate, is accessible for the effective management and for legitimate educational purposes of the university, while protecting the privacy of the individual and the confidentiality and integrity of the data. Thus, system access and data security procedures have been established to serve this end. For more information, visit: http://www.utoledo.edu/policies/administration/compliance/pdfs/3364-15-12_Identity_theft_dete.pdf

https://www.utoledo.edu/policies/administration/compliance/pdfs/3364-15-01%20%20Confidential%20patient%20information%20under%20HIPAA.pdf

https://www.utoledo.edu/policies/administration/compliance/pdfs/3364-15-01%20%20Confidential%20patient%20information%20under%20HIPAA.pdf

https://www.utoledo.edu/policies/academic/undergraduate/pdfs/3364-71-15%20%20Confidentiality%20of%20student%20records.pdf

https://www.utoledo.edu/policies/academic/undergraduate/pdfs/3364-71-15%20%20Confidentiality%20of%20student%20records.pdf

https://www.utoledo.edu/policieshttps:/www.utoledo.edu/policies/academic/college_of_medicine/pdfs/Student%20Records%20FERPA%203364-81-04-009-01.pdf

https://www.utoledo.edu/policieshttps:/www.utoledo.edu/policies/academic/college_of_medicine/pdfs/Student%20Records%20FERPA%203364-81-04-009-01.pdf

http://www.utoledo.edu/policies/administration/compliance/pdfs/3364-15-12_Identity_theft_dete.pdf

http://www.utoledo.edu/policies/administration/compliance/pdfs/3364-15-12_Identity_theft_dete.pdf

10


INTERCOLLEGIATE ATHLETICS COMPLIANCE What is Athletics Compliance? The University of Toledo has a comprehensive and proactive compliance program designed to advance and promote the NCAA’s principle of institutional control to student-athletes, coaches, staff members, and supporters of Rockets Athletics. Athletics Compliance provides the following services:

Educational programming to its constituencies;

Interpretations of regulations and policies;

Monitoring functions in the Athletics Department to ensure NCAA, Mid-American Conference, and University of Toledo policies are observed;

Investigating potential rules violations; and

Reporting of demonstrated violations to the appropriate governing body. Integral to the functioning of an effective Athletics Compliance program is the explicit communication of expectations for all involved in the intercollegiate athletics program. A university that intends to abide by its mission and maintain its reputation must be able to count on its stakeholders to act with integrity, and Athletics Compliance is critical to ensuring this integrity within the Athletics Department.

11


CLERY ACT/CAMPUS SAFETY COMPLIANCE The Jeanne Clery Act is the landmark consumer protection federal law passed in 1990 which requires colleges and universities across the United States to disclose information about crime on and around their campuses as well as their efforts to improve safety on campus. In addition to the Clery Act, the Violence Against Women Reauthorization Act (VAWA) was signed into law by President Obama in March of 2013 and imposes new areas of compliance on universities related to crimes of domestic violence, dating violence, and stalking. The Clery Act Compliance Officer is responsible for coordinating, monitoring, and working collaboratively with various offices at the University to ensure the institution’s compliance with the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act and all associated regulations. Principal duties and responsibilities of the Clery Act Compliance Officer:

Serve as the institution’s designated “Campus Safety Survey Administrator,” as defined by the Department Of Education

Prepare, publish, and distribute the Annual Security Report (ASR)

Ensure notices announcing the availability of the ASR are properly developed and available to prospective students and employees

Work with the appropriate University Departments to identify all Campus Security Authorities for the institution and maintain a list of them for each academic year

Provide, facilitate, and manage the training of Campus Security Authorities

Serve as records custodian for all Clery Act-associated records

Work with the institutional police department/public safety records division to ensure proper classification of crime incident reports

Coordinate with the Facilities and Construction office to maintain an accurate list of buildings and properties owned and/or controlled by the institution

The Clery Act Compliance Officer serves as the Chair of the Clery Act Compliance Committee and collaborates with its members to promote the advancement of safety and security as well as Clery Act compliance on campus.

12


STATE AUTHORIZATION AND PROFESSIONAL LICENSURE COMPLIANCE State Authorization of Online Degree Programs UT must comply with a state's regulations before any educational activity can occur within that state. Those regulations determine whether UT may offer you a place in a course or program. The range of educational activities regulated include offering 100% online courses and programs to online and/or campus-based courses that include activities such as internships, externships, co-ops, field experiences, student teaching, and clinical placements. UT participates in the National Council of State Authorization Reciprocity Agreement (NC-SARA). This allows students from NC-SARA approved states to enroll in: (1) online degree programs, certificates, and endorsements that include internships, externships, co-ops, field experiences, student teaching, and clinical placements, and (2) campus-based courses with out-of-state internships, externships, co-ops, field experiences, student teaching, and clinical placements. As of this writing, 40 of the 50 states are members of SARA. There are 14 online programs, certificates, and endorsements restricting enrollment in the above-mentioned states. Please refer to the State Authorization webpage for specific information. Or with online admissions, phone: (855) 327-5695. Check UT's status in all states regularly for updates. UT enrolled students are required to contact UT Online at (855) 327-5695 to discuss any changes in their state of residence prior to relocation. Please be advised that continued enrollment cannot be guaranteed. Detailed information is available at State Authorization for Out-of-State Institutions. If you have any questions about state authorization, please email [email protected]. There may be exceptions. Please check with the program director for specific information. Professional Licensure Disclosure UT programs leading to licensure and/or advanced practice certification/endorsement, whether delivered online or face-to-face, satisfy the academic requirements for those credentials set forth by the State of Ohio. Requirements for licensure and/or advanced practice certification/endorsement eligibility vary from one profession to another and from state to state. If you are interested in a UT program that leads to professional licensure and/or have a license and seek advanced practice certification/endorsement, please check with the appropriate licensing body in the state where you intend to practice to verify that the desired UT program will meet the eligibility criteria for the credentials you seek. National sites containing state board directories for over 20 professions are listed on the UT Professional Licensure webpage.

mailto:[email protected]

13


AMERICANS WITH DISABILITIES ACT (ADA) COMPLIANCE The Americans with Disabilities Act of 1990 as Amended in 2008 (ADA) along with Sections 504 of the Rehabilitation Act of 1973 are laws that protect the rights of individuals with disabilities. The University of Toledo is committed to fully embracing diversity and promoting inclusion of all individuals. UT strives to provide equal access by taking a proactive approach to removing barriers to education, employment and patient care. The ADA Compliance Officer is responsible for ensuring the University is conforming to ADA policies and procedures as well as all federal regulations relevant to disability. The ADA Compliance Officer collaborates closely with the offices of Student Disability Services, Human Resources, Facilities and Construction, Information Technology, Learning Ventures, and UTMC administration to ensure equal access for students, faculty, employees, patients, and visitors with disabilities. Principal duties and responsibilities of the ADA Compliance Officer:

Provide consultation services on disability related issues Manage the Institutional process for compliance to all federal and state laws and

regulations pertaining to disability including Sections 501, 503, 504, and 508 of the Rehabilitation Act of 1973

Conduct training and workshops on a variety of disability topics, including awareness, equal access, and legal requirements

Review/develop policies, plans and procedures Oversee facilities and academic access initiatives Investigate/address disability concerns/complaints Maintain current knowledge of emerging disability issues, legislation and

regulations related to disability, access, and accommodations Serve as a referral point for information

The ADA Compliance Officer chairs the ADA Compliance Committee and works in collaboration with its members to advance both program and physical access on campus. The ADA Compliance Officer co-chairs the ADA Liaisons Committee, which is comprised of Deans, Associate and/or Assistant Deans with representation from every college across UT. This committee seeks to address academic barriers to students with disabilities. The ADA Compliance Officer also serves as a member of the President’s Council on Diversity. The mission of the President’s Council on Diversity is to serve as an advisory group to the President providing recommendations based on observations, reports, and monitoring concerning diversity issues on the UT Campus.

14


STUDENT DISABILITY SERVICES Student Disability Services at The University of Toledo supports students with disabilities as they achieve their academic potential within the University community. As a bridge to full inclusion within the University, Student Disability Services works with students, faculty, and staff to ensure students with disabilities are provided access to UT academic experiences, advocates for students’ rights, and promotes disability awareness. Student Disability Services supports the University mission of improving the human condition by:

Coordinating the provision of academic accommodations to students with disabilities.

Providing opportunities to learn from the infinite range of individuals' unique attributes and experiences by providing opportunities for students to interact with a diverse population that includes all people.

Creating an inclusive environment where students with disabilities can fully access the educational experience and are provided with the opportunity for future success.

Recognizing the value of each unique individual student by treating all students with compassion, professionalism and respect.

Enhancing retention of students with disabilities.

Using new technology and innovative solutions to provide appropriate access to students with disabilities.

15


STRATEGIC PLAN FOR INTERNAL AUDIT AND COMPLIANCE Internal Audit

Build an internal audit staff that supports the needs of the business.

Structure the internal audit department on a fluid, flexible framework.

Embed technology in all facets of auditing to work more quickly and more accurately.

Accumulate knowledge about operations, risk and controls, and business process best practices.

Engage resources when necessary to provide subject matter expertise in technical internal audit areas.

Communicate effectively (including clarity, brevity, and accuracy) and with maximum impact.

Mitigate Information Technology (IT) risks that drive and redefine the operations of the University.

Broaden audit scope to address third-party and vendor risk.

Adjust to a stream of internal and external forces affecting strategies and operations, such as new technology, stricter regulations, shifting customer preferences and tougher competition.

Build audit plans on a risk-based schedule to ensure that University strategy and value-adding activities drive operations of the internal audit department.

Position internal audit as a supporting pillar of the University’s governance structure that promotes ethics and transparency.

Confront risks such as asset misappropriation, corruption and fraudulent financial reporting.

Assess the audit process continually to effect improvement. Institutional Compliance

Structure the organization to support an enhanced compliance outcome.

Convey a compliance mind-set at the leadership level.

Embrace a values-driven culture.

Integrate governance, risk, and compliance activities to align with business objectives and drive efficiencies.

Employ a disciplined approach to identifying and managing risk.

Embed risk and compliance monitoring in processes enterprise-wide.

Implement sustainable remediation procedures.

Install automated software to improve risk management and compliance.

Establish a reporting framework to satisfy stakeholder information needs.

Integrate reporting functions throughout the organization.

Provide timely, thorough, and transparent reporting.

16


RECENT KEY PROJECTS: UT INTERNAL AUDIT AND COMPLIANCE Clinical Risk Assessment: A series of “field” audits of all UTMC clinics, to ensure billing accuracy and compliance with Joint Commission operating practices. Employee Training: Actively train employees on current issues such as risk management, process engineering, and responsibility-based budgeting in a classroom setting (in partnership with the Office of Quality and Continuous Learning), and various compliance topics during new hire orientations. Higher Learning Commission Preparedness: Recently prepared the “self-study” on resource allocation and Federal compliance, in preparation for the upcoming accreditation visit by the Higher Learning Commission. Human Resources and Payroll Reengineering: Worked with leaders across the University to recommend and implement process improvements in the areas of hiring and filling vacancies, onboarding, paying employees, recording time off, and separations and terminations. Intercollegiate Athletics: Performed an annual financial statement compilation and audit of athletics revenues and expenses, in support of UT’s external auditors. A series of “white papers” were prepared for various aspects of compliance with NCAA and MAC rules. Institutional Compliance Program: Aligned all University compliance officers under a common framework of planning, conducting, reporting, and following up on issues in their area. Physician Chart Audit Program: Developed a program to review a sample of medical charts from each UT physician every year to ensure that all billable events were charged at the appropriate rate, and that overcharges or unsupported charges are not billed. Revenue Cycle: Each year, audit or consult on an aspect of the UTMC billing process, from charge capture and collection to rates, accounting, and the supporting information systems. Student Experience: Worked with the Division of Student Affairs in identifying and acting on opportunities to improve customer service and learning environments. Helped design and implement the Staff Ambassador program to welcome and orient new students. Student Financial Aid: Due to the volume of financial aid transactions processed by UT each year, audit some aspects of financial aid each year, from eligibility, to Title IV disclosures, to scholarships, to financial aid applications.

17


REQUIRED COMMUNICATIONS TO THE BOARD OF TRUSTEES

The Institute of Internal Auditors’ International Standards for Professional Practice of Internal Auditing requires that certain topical areas be discussed with the Audit Committee at least annually. Following is a summary of these “required communications:”

Standard #1000: Purpose, Scope, and Responsibility. The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.

Standard #1010: Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit Charter. The mandatory nature of the Definition of Internal Auditing, the Code of Ethics, and the Standards must be recognized in the audit charter, and should be discussed with management and the board.

Standard #1110: Organizational Independence. The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.

Standard #1111: Direct Interaction with the Board. By the chief audit executive.

Standard #1312: External Assessments. External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The chief audit executive must discuss with the board:

The form and frequency of external assessments; and The qualifications and independence of the external assessor or assessment

team, including any potential conflict of interest.

Standard #1320: Reporting on the Quality Assurance and Improvement Program. The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board.

Standard #2020: Communication and Approval. The chief audit executive must communicate the internal audit activity's plans and resource requirements, including significant interim changes, to senior management and the board for review and approval. The chief audit executive must also communicate the impact of resource limitations.

Standard #2060: Reporting to Senior Management and the Board. The chief audit executive must report to senior management and the board on the internal audit activity's purpose, authority, responsibility, and performance relative to its plan. It must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board.

18


INTERNAL AUDIT WEBSITE We hope that you’ll take a moment to check out the UT Internal Audit and Compliance website. It is accessible in the following way:

http://www.utoledo.edu/offices/internalaudit/index.html We are very proud of the layout and content of our website. Following are the key sections:

Home: Includes a welcoming message from Dave Cutri, Director of Internal Audit and Chief Compliance Officer

Meet the Team: Brief profiles of all current team members

20 Questions for Internal Audit: Answers to frequently asked questions about the profession and our role within UT

Guidance: This is probably the most popular section of our website. It includes guidance for our auditors on departmental forms and the procedure manual. It also includes a link for our employees on the best practice internal controls for numerous functional areas of the University (“Internal Control Questionnaires”).

Healthcare Compliance and Privacy Office: Web-link to the services provided by the clinical compliance portion of our team. Valuable guidance on institutional privacy matters (such as HIPAA and FERPA) is also provided.

ADA/504 Compliance: Web-link to the services provided by the Americans with Disabilities Act compliance portion of our team. Includes interpretation and application of the ADA law and valuable departmental self-assessment tools.

Anonymous Reporting Line: Web-link to the University’s confidential business ethics hotline. Includes guidance on how and when to report ethical concerns by employees, students, patients, and other informed stakeholders.

Finance and Audit Committee: Link to the University website for the Board of Trustees committee to which Internal Audit and Compliance is ultimately accountable.

Internal Audit Plan/Finance and Audit Committee Presentations: Link to the annual enterprise risk assessment that culminates in our annual plan, as well as all monthly presentations to the Finance and Audit Committee, to whom we are accountable.

Student Disability Services: You may access important information from this part of the Internal Audit and Compliance organization from this link. This website houses the Student Disability Service Faculty and Student Handbooks, which provides students, faculty, and staff with helpful information about the ADA accommodation process.

You will also want to check out the links to the various University presentations we give on auditing, compliance, and governance matters, which are also available on YouTube. Please check out the website regularly for updated content and new and improved features. And please let us know about your thoughts on the website and how we can more effectively communicate and how we can best be of service to you, our customer!

http://www.utoledo.edu/offices/internalaudit/index.html

19


A WORD ABOUT FRAUD, WASTE, AND ABUSE What is Fraud? Typically requires 3 key elements:

1) Misrepresentation – “did something wrong” 2) Done intentionally 3) Resulted in unauthorized personal gain

Who Commits Fraud? Those having:

Ability to rationalize – Fraudulent actions taken weren’t really stealing

Opportunity – Due to too much authority resting with one person or a poor internal control environment

Pressure – Desperation for wealth or to obtain extra money

Who Commits Fraud? (Source: 2014 ACFE Report on Occupational Fraud)

Majority of perpetrators were long-tenured, managers, male, and middle-aged

64% of frauds were committed by perpetrators with over 5 years’ tenure

Depending on employee tenure, median loss ranges from $45,000 to $263,000 How Does Fraud Occur?

Billing – Employee submits invoice to customer for personal expenses

Expense reimbursement – Expense report claims nonexistent meals, personal travel, etc.

Non-cash – Stealing business services, identity of staff/students, office supplies, stamps, etc.

Payroll –Taking unreported sick leave, overtime for hours not worked, ghost employees

Skimming – Employee not recording payments from customers, diverting into own account

How Is Fraud Detected? (Source: 2014 ACFE Report)

University of Toledo Anonymous Reporting Line (1-888-416-1308)

Dedicated line for UT faculty, staff, students, and third parties to report compliance concerns

Allows 24-hour availability; callers may remain anonymous; managed by third-party vendor

Does not replace existing reporting mechanisms on campus or in the Health System Internal Controls Are Important for Reasons Other Than Preventing or Detecting Fraud

Controls help detect/prevent honest errors (ex., keypunch/data entry errors)

Computerized controls help ensure accuracy (ex., time entry eliminating timesheets)

20


A WORD ABOUT THE ANONYMOUS REPORTING LINE (“HOTLINE”) We are all responsible for promoting a healthy environment at UT. This includes asking questions and raising concerns if you see something you don’t think is right. Options Where to best raise a concern depends on your particular concern and situation; whenever possible, you should attempt to resolve your concern in the following sequence.

1. Safety issues: University of Toledo Police Department: (419) 530-2600 2. Contact your supervisor 3. Compliance issues: Internal Audit and Compliance Office: (419) 530-8718 4. HIPAA violation issues: Compliance and Privacy Office: (419) 383-6933 5. Compliance Concepts Anonymous Reporting Line (Hotline): (888) 416-1308

– toll free Are you concerned about a violation of law or policy, or uncomfortable raising it through normal channels? Use the Anonymous Reporting Line, UT’s confidential reporting service. What to Report: Report any situation or University conduct you believe violates an applicable law, regulation, government contract or grant requirement, or University policy. You do not need to know the exact law or requirement, or be certain a violation has or will occur. When in doubt, the better course of action is to report. What Not to Report: The Anonymous Reporting Line should not be used to report:

employment concerns that are not legal or policy violations

purely student concerns

issues for which UT is not responsible All emergencies should be reported to 911 or (419) 530-2600. If you are uncertain, the better course of action is to report. Your Obligations as a Reporter: University employees are expected to report good faith concerns about possible violation of any policy, law, rule, regulation, or contract or grant governing any University activity, and are expected to be truthful and cooperative in the investigation of the allegation. Knowingly making false reports can lead to disciplinary action. Your Rights as a Reporter: All reports of compliance issues will be handled in strict confidence to the extent possible or permitted by law. Your inquiry can be made without fear of retribution. University policy prohibits retaliation against individuals who report issues in good faith. How to Use: The Anonymous Reporting Line is available seven days a week, 24 hours a day, and 365 days a year. You are greeted by a trained interviewer who documents your concerns. A report number will be assigned, which you will need when you check back. Using the report number, you may call or e-mail to follow up or add more information and remain anonymous. Additional details about all of these and other options can be found online at https://www.utoledo.edu/offices/compliance/reporting.html

https://www.utoledo.edu/offices/compliance/reporting.html

21


OPPORTUNITIES AND CHALLENGES AHEAD Higher Education The future of higher education, including the University of Toledo, over the next five to ten years will include …

More demand for graduates

Fewer public financial resources

Do more with less (less people)

More intense competition

Fewer tuition rate increases

More enabling technologies

Fewer non-core programs

More international experiences Health Care The future of health care, including the University of Toledo Medical Center, over the next five to ten years will certainly include …

More outpatient care

More complex inpatient care

More technology

More advanced imaging

More genetic testing

Personalized medicine

More neurological services

More cancer care

More telemedicine

More mid-range providers

More outcomes reporting

Narrower and deeper service lines The Role of UT Internal Audit and Compliance In light of these opportunities and challenges, it is appropriate to be reminded of the University of Toledo’s Internal Audit and Compliance department mission: We are committed to its goals of improving the human condition in the forms of prosperity, personal fulfillment, longevity, health, and societal participation. We operate on a fluid, flexible framework that will enable us to adjust to whatever the future may bring to higher education and health care. As such, we must continue to deliver on our commitments to our internal and external stakeholders, and staying true to our guiding principles. We are proud of our role in helping the University achieve and maintain its mission and vision, and look forward to any future opportunities to serve.

university of toledo “profile of an audit service” · 2018-07-06 · changing regulatory...

Documents