The Growing Case for Hospital Internal Audit Services

by Brad King Hospital boards and executive teams are confronted with a growing array of financial and compliance issues. Failure to fully comply with the requirements of these regulations may expose the hospital, and even its officers and board members, to both civil and criminal penalties. In even the best managed hospitals, the risk exists that the multitude of pressures will cause even well-intentioned management to overlook implementation of necessary controls in one or more key areas.
Advice from the Health and Human Services Office of Inspector General (HHS OIG)

Hospital internal auditors need to bring a wide breadth of expertise to their role of testing the hospitals compliance and internal controls.
that does not condone/is not conducive to illegal activities. An effective internal audit function can be the muscle in carrying out those responsibilities. Other similar guidance includes: SAS 99: Consideration of Fraud in a Financial Statement Audit Accompanying Exhibit: Management Antifraud Programs and Controls: Guidance to Help Prevent and Detect Fraud Proposed SSAE: Reporting on an Entitys Internal Control Over Financial Reporting Proposed SAS: Communication of Internal Control Related Matters Noted on an Audit SEC Rule 15c2-12: Municipal Securities Disclosure Requirements As the HHS OIGs guidance said, given the expansion of health care regulatory enforcement and compliance activities and the heightened attention being given to the responsibilities of corporate directors enhanced oversight of corporate compliance programs is widely viewed as consistent with and essential to ongoing federal and state corporate responsibility initiatives. In addition, the OIG stated, compliance risk is further mitigated through internal review processes. Monitoring and auditing provide early identification of program or operational weaknesses and may substantially reduce exposure to government or whistleblower claims Although many assessment techniques are available, one effective tool is the performance of regular, periodic compliance audits by internal or external auditors. What types of expertise are needed within the hospital internal audit function? Hospital internal auditors need to bring a wide breadth of expertise to their role of testing the hospitals compliance and internal controls. Necessary expertise includes: Health care audit Health care finance HIPAA Information technology Medicare and Medicaid reimbursement Managed care Medicare fraud & abuse Medicare false claims act

Not-for-profit tax Services coding Stark laws knowledge

Acquiring the needed expertise

Hospitals have two major alternatives for implementing internal audit programs: they can attempt to hire qualified staff internally, or outsource the internal audit function to a qualified health care audit firm. It may be very difficult for a small to midsize hospital to acquire all the necessary expertise in one or two employees. But, working with the hospitals compliance officer and chief financial officer, and following an initial organizational risk assessment, an outsourced service provider may be able to cost-effectively package the expertise of many different individuals in a multi-year internal audit program approved by the hospital boards audit committee. Brad King is a principal with the LarsonAllen Health Care Group. Contact Brad at bking@larsonallen.com or 504/237-3173.

While the recently imposed Sarbanes/Oxley Act does not specifically apply to nonprofit hospitals, selected states (including California) have imposed their own equivalent requirements on all organizations incorporated within their states, both for-profit and nonprofit. In addition, new accounting standards and SEC rules applying to municipal securities impose additional requirements. Directors responsibilities arise from two distinct concepts: the decision-making function and the oversight function. In April 2003, the HHS Inspector General in collaboration with the American Health Lawyers Association published Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors. This guidance opens by identifying the growing body of pronouncements bringing corporate directors under greater scrutiny. It emphasizes the fiduciary responsibility of hospital board members, the duty of care standard (in addition to the duty of loyalty and duty of obedience to purpose), and the concept of reasonable inquiry. The basic fiduciary care principle requires a director to act in good faith with the care an ordinary prudent person would exercise under similar circumstances. As the OIG states, Personal liability for directors, including removal, civil damages, tax liability and damage to reputation, appears not so far from reality as once believed.
The value of internal audit services

Whats Your Organizations Disaster Recovery Plan?

by Mark Eich
Disaster recovery/continuity planning

It is essential to prepare for a disaster before it occurs. Disaster planning should contemplate all aspects of your business, not just the IT function. A Certified Business Continuity Planner can help you to document management-approved procedures for disaster response, recovery and restoration along with operational procedures for continuing business operations. As a result, your business will be ready and able to serve your customers in the time of crisis.
Any of these sound familiar?

Arent internal audit services duplicating what independent auditors are already supposed to be doing? Many authoritative announcements say No! Independent auditors are prohibited from auditing their own work. So, they cant both help design accounting systems and controls and audit their effectiveness. But, internal auditors can design and test systems and controls, with independent auditors later reviewing the reliability and appropriateness of their work. In addition, the OIGs recent guidance states that corporate management, boards and audit committees must be equal partners with auditors in creating an environment

Our current recovery plan was created prior to Y2K and does not provide sufficient recovery detail for how we do business today. Our plan does not account for the new risks facing our business. How do we prepare for Internet security breaches, computer viruses and terrorism threats? We are dependent on the technical knowledge of a few key individuals and fear that they may not be available when needed. While we are confident in our ability to recover data and IT systems, we lack the appropriate procedures to continue service to our customers during a disruption. Whether you need to create or simply update your current plan, a professional can help you document comprehensive disaster recovery and business continuity procedures to be used in the wake of disruption to meet your companys recovery objectives. Mark Eich is a principal with LarsonAllen Information Security Services. Contact Mark at meich@larsonallen.com or 612/397-3128.

LarsonAllen EFFECT / Spring 2004 15