using controlled self-assessment to determine compliance risk management multi-line, multi-risk...
TRANSCRIPT
1
Health Care Compliance Association6500 Barrie Road, Suite 250, Minneapolis, MN 55435888-580-8373 | www.hcca-info.org
Using Controlled
Self-Assessment to Determine Compliance Risk
John Falcetano, CHC-F, CCEP, CHRC, CIA
University Health Systems of Eastern Carolina
252-847-0125
888-580-8373 | www.hcca-info.org 2
Agenda
• Discuss internal controls and how they relate to compliance.
• Discuss how Control Self-Assessment can assist in identifying risk.
• Discuss universal business risks.
• Identify things that can affect risk.
• Discuss approaches to risk assessment.
• Understand the importance of prioritizing risk.
• Controlling action plans that address risk.
2
888-580-8373 | www.hcca-info.org 3
Internal Controls: How does this relate to compliance?
888-580-8373 | www.hcca-info.org 4
Definition of Internal Controls
� A process effected by an entity's
board of directors, management, and
other personnel designed to provide
reasonable assurance regarding the
achievement of objectives.
3
888-580-8373 | www.hcca-info.org 5
Commission Of Sponsoring Organizations(COSO)
� "COSO" provides a sound basis for
establishing internal control systems and determining their effectiveness.
� Objectives of an internal control system:
1. Efficient and effective operations,
2. Accurate financial reporting, and
3. Compliance with laws and regulations.
888-580-8373 | www.hcca-info.org 6
Types of Internal Controls
� Preventive
� Detective
� Directive
4
888-580-8373 | www.hcca-info.org 7
The Business Case for a Strong Internal Control Program
Upside Downside
888-580-8373 | www.hcca-info.org 8
• “incumbent upon a health system’s
corporate officers and managers to
provide ethical leadership to the
organization and to assure that adequate
systems are in place to facilitate ethical and legal conduct”
Per OIG Guidance
5
888-580-8373 | www.hcca-info.org 9
Examining Effectiveness of Internal Controls Through
Control Self-Assessment
888-580-8373 | www.hcca-info.org 10
Why ?
• Line Staff
• Soft Controls
• Team Approach
• Manager Involvement
• Employee Buy-in
6
888-580-8373 | www.hcca-info.org 11
Benefits of Conducting CSA
• Increases scope
• Targets audit work
• Frees internal audit resources
• Increases awareness
• Motivates personnel
888-580-8373 | www.hcca-info.org 12
Controlled Self-Assessment (CSA)
• Reviews:
– Key business objectives
– Risks involved in achieving objectives
– Internal controls to manage those risks
7
888-580-8373 | www.hcca-info.org 13
Management Team as Leaders
888-580-8373 | www.hcca-info.org 14
Primary Objectives of Internal Controls
Accomplishment of organizational objectives and goals
8
888-580-8373 | www.hcca-info.org 15
Three Primary Approaches to Control Self-Assessment
• Facilitated Team Meetings/Workshops
• Questionnaires/Surveys
• Management-Produced Analysis
888-580-8373 | www.hcca-info.org 16
Four Types of CSA Facilitated Meetings Formats
• Control-based
• Process-based
• Objective-based
• Risk-based
9
888-580-8373 | www.hcca-info.org 17
Controlled-based CSA
• Focus is on internal controls
888-580-8373 | www.hcca-info.org 18
Process-based CSA
• Focus on examining the steps/activities
performed within selected processes
10
888-580-8373 | www.hcca-info.org 19
Objective-based CSA
• Focuses on best way to accomplish an
objective
• Significant input from the work unit
888-580-8373 | www.hcca-info.org 20
Risk-based CSA
• Focus on identifying and managing risk
• Examines control activities to ensure the
control is sufficient to manage risk
11
888-580-8373 | www.hcca-info.org 21
Risk-based CSA
• Barriers
• Roadblocks
• Red Tape
• Hindrances
888-580-8373 | www.hcca-info.org 22
Characteristics of Risk-based CSA
Objective
� Risks
� Controls
� Residual Risks
� Assessment
12
888-580-8373 | www.hcca-info.org 23
U.S. Sentencing Guidelines (commentary) as amended November 1, 2004
The organization shall . . .
(A) Assess periodically the risk that criminal conduct will occur, including assessing the following:(i) The nature and seriousness of such criminal
conduct . . .(ii) The likelihood that certain criminal conduct may
occur because of the nature of the organization’s business . . .
(iii) The prior history of the organization . . .
888-580-8373 | www.hcca-info.org 24
What is Risk?
� Risk is something that might prevent an organization from meeting an objective.
13
888-580-8373 | www.hcca-info.org 25
Universal Business Risks
888-580-8373 | www.hcca-info.org 26
Things that Affect Risk
� Organizational Ethics
� Financial Demands
� Technology
� Competition
� Mergers/Joint Ventures/Acquisitions/ Alliances
� Laws/Rules/Regulations
� Unknown
14
888-580-8373 | www.hcca-info.org 27
Extended Extended Extended Extended
EnterpriseEnterpriseEnterpriseEnterprise
RiskRiskRiskRisk
ManagementManagementManagementManagement
StrategicStrategicStrategicStrategic
EconomicEconomicEconomicEconomic
InsuranceInsuranceInsuranceInsurance
BusinessBusinessBusinessBusiness
ProcessProcessProcessProcess
CultureCultureCultureCulture
Capital Markets/Treasury RiskMarket Risk, Liquidity Risk
Analytics & Modeling CreditAnalytics
Property, Casualty,
LiabilityRisk Management
Multi-line, Multi-riskInsurance Products
OperationsCompliance
FinancialInternalControl
ProfitRecovery
CorporateEthics
Physical & InformationSecuritySecuritySecuritySecurity
AlliancesAlliancesAlliancesAlliances
RegulatoryRegulatoryRegulatoryRegulatory
Strategy, Goals, Mission,
ObjectivesJoint
Ventures, Outsourcers, Third Parties
SEC, NASDAQ, NYSE, Fed
Asset Protection
CorporateCompliance
Operational Risk
Management
Financial
Operational
Compliance
Strategic
Enterprise Risk Management
888-580-8373 | www.hcca-info.org 28
Enterprise-Wide Risk Assessment
• Strategic
– Strategy
– Goals
– Mission
– Objectives
– Alliances
– Joint Ventures
– Outsourcers
– Third Parties
15
888-580-8373 | www.hcca-info.org 29
Enterprise-Wide Risk Assessment
• Operational Risk Management
– Insurance
• Property
• Casualty
• Liability
• Risk Management
• Information
• Security
• Asset Protection
• Corporate Ethics
• Culture
888-580-8373 | www.hcca-info.org 30
Enterprise-Wide Risk Assessment
• Financial
– Credit
– Capital Markets
– Treasury Risk
– Market Risk
– Liquidity Risk
– Economic
– Financial Internal Control
16
888-580-8373 | www.hcca-info.org 31
Enterprise-Wide Risk Assessment
• Compliance
– Operations Compliance
– Business
– SEC
– NASCAQ
– NYSE
– Regulatory
888-580-8373 | www.hcca-info.org 32
Identifying Regulatory Compliance Risks
• Health Care CMS
• Congress
• Supreme Court
• Federal Circuit Courts
• Departmental Appeals
• OIG
• PROs
• Carriers
• PRRB
• FAA
• OPOs
• SEC
• IRS
• EPA
• FTC
• FCC
• HHS/HRSA
• JCAHO
17
888-580-8373 | www.hcca-info.org 33
Identifying Regulatory Compliance Risks
• Intermediaries
• Regional Offices
• Medicare Integrity Program Contractors
• DME Regional Contractors
• Regional Home Health Intermediaries
• DEA
• NRC
• DOL
• FBI
• Treasury
• DOJ
• OSHA
• DOT
• FDA
888-580-8373 | www.hcca-info.org 34
State Level
• Survey and Certification
• Courts
• Attorney Generals
• Medicaid
• Health Boards
• Medical Boards
• Local Governments
• Licensure
18
888-580-8373 | www.hcca-info.org 35
E-Health Risk
• Ability to Audit
• Violations
• External Penetration
• Education
• Record Retention
888-580-8373 | www.hcca-info.org 36
CMS Areas of High Risk Fraud
• Sudden changes in billing
• Spike billing
• Billing by inappropriate specialties
• Billing of inappropriate diagnoses
• Increased beneficiary complaints
• Compromised beneficiary and/or provider identities
• Geographical changes in billing
19
888-580-8373 | www.hcca-info.org 37
CMS Areas of High Risk Fraud
• High comprehensive error rate testing (CERT) rate
• Identity theft (provider and beneficiary)
• Beneficiary recruitment (capping)
• Out of the norm
• Deceased patients
• Billing for Part B instead of Part A
• Physician/Patient billing relationship
• Deceased physicians
888-580-8373 | www.hcca-info.org 38
Compliance Risks
• Physician Billing and Coding
• Laboratory
• Radiology
• Research & Grants
• Retirement/Benefits
20
888-580-8373 | www.hcca-info.org 39
Management Responsibility
� Identifying risk
� Implementing controls or other techniques to manage risk
�Avoid risk
�Transfer risk
�Accept risk
�Reduce or mitigate risk
888-580-8373 | www.hcca-info.org 40
Who Manages Risk?
Management of Risk
LegalCompliance
Internal Audit
Risk
Management
Quality
Administration
21
888-580-8373 | www.hcca-info.org 41
ANNUAL COMPLIANCE RISK ASSESSMENT
888-580-8373 | www.hcca-info.org 42
Risk Assessment Approach
What are the steps?
22
888-580-8373 | www.hcca-info.org 43
Risk Assessment Approach
• Determine the scope and preliminary list of compliance risks to be assessed
• Identify key compliance risk-related data
• Finalize set of risks to be assessed
• Evaluate control activities and level of risk mitigation
• Calculate risk concern level and rank risk areas
• Confirm risk evaluation results
• Create action plan
888-580-8373 | www.hcca-info.org 44
Risk Assessment
Purpose: Evaluate risk areas under the direction of counsel
• Review existing organizational documents
• Conduct interviews with individuals from Compliance Team, management, billing, etc.
• Test transactions based on interviews
• Conduct a baseline review
• Develop a list of risk areas
23
888-580-8373 | www.hcca-info.org 45
A Risk Assessment Review Will
• Reduce the settlement if investigated
• Demonstrate to prosecutors that treble damages are unnecessary
• Demonstrate to the OIG that a corporate integrity agreement (CIA) is unnecessary or should be reduced
• Clarify necessary budgeting expenses for compliance
• Prioritize existing compliance resources
• Fulfill your board’s compliance oversight responsibility
• Determine whether education has been adequate and whether staff understands policies and procedures
• Establish whether employees trust and use the anonymous reporting mechanism
• Ensure that reported incidences are resolved appropriately
888-580-8373 | www.hcca-info.org 46
“In addition, the audits and reviews should
inquire as to compliance with specific rules
and policies that have been the focus of
particular attention on the part of the
intermediaries or carriers, law enforcement as
evidenced by OIG Special Fraud Alerts, OIG
audits and evaluations, and law enforcement’s
initiatives.”
http://http://oigoig..hhshhs..govgov/publications//publications/workplanworkplan.html.html
24
888-580-8373 | www.hcca-info.org 47
Risk Identification
• Interviews
• Document review
� Compliance Program Guidance
� OIG Work Plan
� Fraud Alerts
� Special Advisory Bulletins
� Management Input
� Previous Audits/Reviews
� Industry Newsletters
� Third Party Litigation
• Employee surveys
• Other?
888-580-8373 | www.hcca-info.org 48
Conference Board Report –Methods Utilized to Identify Risks
• Internal Document Review (e.g., hotline reports, internal audit reports) 81%
• Interviews of Leadership and Employees 79%
• Workforce Surveys 39%
• External Document Reviews (e.g., newsletters, third-party litigation) 33%
• Focus Groups 23%
2006 Compliance Program and Risk Assessment Benchmarking Survey
25
888-580-8373 | www.hcca-info.org 49
Other issues that keep you up at night?
888-580-8373 | www.hcca-info.org 50
Risk Ranking
RedYellowYellowGreenGreen
RedYellowYellow GreenGreen
RedRedYellowYellowGreen
RedRedYellowYellowYellow
RedRedRedRedYellow
Almost Certain
Likely
Possible
Unlikely
Rare
Insignificant Minor Moderate Major Catastrophic
Consequence
LIKELIHOOD
26
888-580-8373 | www.hcca-info.org
Research Risk Ranking Scale
Level I = High Priority•Must Do Items
Level II = Medium Priority
•Should Do Items
Level III = Low Priority
•If Times Permits Items
Items for work plan
888-580-8373 | www.hcca-info.org 52
Annual Audit and Compliance Work Plan
WorkWork
PlanPlan
27
888-580-8373 | www.hcca-info.org 53
Audits/Compliance Reviews
• Compliance
• Financial
• Operational
• Investigative
• Special Management Requests
• Due Diligence
• Attorney Work Product
• Outside Agency
• External Auditors
888-580-8373 | www.hcca-info.org 54
28
888-580-8373 | www.hcca-info.org 55
Directing and Coordinating
888-580-8373 | www.hcca-info.org 56
Directing and Coordinating
29
888-580-8373 | www.hcca-info.org 57
Compliance Monitors
888-580-8373 | www.hcca-info.org 58
Quality Compliance Monitors(Trend: ���� = Positive ����= Negative)
April - June 2008
Jan - Mar Quarter
80%9) Clean Claim Rate
95%8) Coding Accuracy Rate
100%7) Outside Agency Response Rate
100%6) OIG Sanctions/GSA Debarments/Terrorists List Verification
100%5) Rehab Discharge Dispositions
100%4) Discharge Dispositions
100%3) One Day Stays Medical
Necessity Documentation
100%2) Physician Contracts (expired)
100%1) EMTALA
TrendingApril - June Quarter
TargetMonitors
30
888-580-8373 | www.hcca-info.org 59
Personnel Access Control
888-580-8373 | www.hcca-info.org 60
Session Review
31
888-580-8373 | www.hcca-info.org 61
Name Three (3) Types of
Internal Controls
888-580-8373 | www.hcca-info.org 62
Name Three (3) Benefits of
Conducting CSA
32
888-580-8373 | www.hcca-info.org 63
Name Five (5) High-risk Fraud Areas Identified by CMS
888-580-8373 | www.hcca-info.org 64
Name Three (3) Universal Risks
33
888-580-8373 | www.hcca-info.org 65
What are two (2) things you should look at when Ranking Risk?
RedYellowYellowGreenGreen
RedYellowYellow GreenGreen
RedRedYellowYellowGreen
RedRedYellowYellowYellow
RedRedRedRedYellow
888-580-8373 | www.hcca-info.org 66
Name two (2) things a risk assessment can do
34
888-580-8373 | www.hcca-info.org 67
Name three (3) ways to identify compliance risk
888-580-8373 | www.hcca-info.org 68
Thank You!Questions?