Professional Documents
Culture Documents
Specialized Industry Hospital
Specialized Industry Hospital
Consideration of
Internal Control
SGB & CO.
Account for Accuracy & Reliability
Auditors are not responsible for establishing and maintaining an entity’s internal control systems, however,
auditors should still give adequate consideration to these controls because the quality of the entity’s internal
control systems can have a significant impact on the audit.
Considering internal control involves the study and evaluation of the internal control of an entity which help
provide a basis for planning the audit to determine the nature, timing, and extent of audit procedures. This also
provide a basis for constructive suggestions to management about improvements in internal control structure.
The steps involved in consideration of internal control are as follows:
1) Obtain sufficient understanding of the internal control relevant to the audit
- In all audits, the auditor should obtain an understanding of internal control sufficient to plan the audit by
performing procedures to understand the design of controls relevant to an audit of financial statements and
determining whether they have been placed in operation. In obtaining this understanding, the auditor considers
how an entity’s use of information technology (IT) and manual procedures may affect controls relevant to the
audit.
2) Perform preliminary assessment of control risk.
- The auditor then assesses control risk for the relevant assertions embodied in the account balance, transaction
class, and disclosure components of the financial statements. Regardless of the assessed level of control risk,
the auditor should perform substantive procedures for all relevant assertions related to all significant accounts
and disclosures in the financial statements.
3) Perform tests of controls
- The auditor may determine that assessing control risk below the maximum level for certain assertions would
be effective and more efficient than performing only substantive tests. In addition, the auditor may determine
that it is not practical or possible to restrict detection risk to an acceptable level by performing only substantive
tests for one or more financial statement assertions. In such circumstances, the auditor should obtain evidential
matter about the effectiveness of both the design and operation of controls to reduce the assessed level of
control risk. Such evidential matter may be obtained from tests of controls planned and performed concurrent
with or subsequent to obtaining the understanding. Such evidential matter also may be obtained from
procedures that were not specifically planned as tests of controls but that nevertheless provide evidential matter
about the effectiveness of the design and operation of the controls. For certain assertions, the auditor may desire
to further reduce the assessed level of control risk. In such cases, the auditor considers whether evidential
matter sufficient to support a further reduction is likely to be available and whether performing additional tests
of controls to obtain such evidential matter would be efficient.
Alternatively, the auditor may assess control risk at the maximum level because he or she believes controls are
unlikely to pertain to an assertion or are unlikely to be effective, or because evaluating the effectiveness of
controls would be inefficient. However, the auditor needs to be satisfied that performing only substantive tests
would be effective in restricting detection risk to an acceptable level. When evidence of an entity’s initiation,
recording, or processing of financial data exists only in electronic form, the auditor’s ability to obtain the
desired assurance only from substantive tests would significantly diminish.
The auditor uses the understanding of internal control and the assessed level of control risk in determining the
nature, timing, and extent of substantive tests for financial statement assertions.
SGB & CO.
Account for Accuracy & Reliability
The World Health Organization (WHO) consists of all organizations, people and actions whose primary interest is
to promote, restore, or maintain health. Their outcomes and goals include improving health and health equity
through ways that are: responsive, financially fair, and best or most efficient use of available resources and greater
access to and coverage for effective health interventions.
WHO has developed its health systems framework which is composed of six building blocks that, when taken
together, (a) gives a picture of the state of health care system in a country, and (b) help achieve the intended goals
and outcomes.
The six building blocks of the health systems framework by WHO in Philippine Scenario
1) Leadership and governance
- As the national technical authority on health, the DOH provides national policy direction and strategic
plans, regulatory services, standards and guidelines for health, and highly specialized and specific tertiary-
level hospital services. It provides leadership, technical assistance, capacity building, linkages and
coordination with other national government agencies, LGUs and private entities in implementing health
policies. The LGUs, i.e. provincial, city and municipal governments, on the other hand, are responsible for
managing and implementing local health programmes and services. A local health board chaired by the local
chief executive (governor or mayor) serves as an advisory body to the local chief executives and the local
legislative council members (sanggunian) on the local health system, while the DOH Regional Health Office
is represented by either a DOH representative or Development Management Officer under the DOH
Provincial Health Team.
In Mindanao, a distinct subnational entity called the Autonomous Region in Muslim Mindanao (ARMM)
was created by Republic Act No. 6734, as amended by Republic Act No. 9054. ARMM consists of five
provinces and has its own regional Department of Health that is directly responsible to the ARMM Regional
Governor. It directly administers the provincial, city and municipal health offices, and the provincial and
district hospitals within the autonomous region.
SGB & CO.
Account for Accuracy & Reliability
3) Health workforce
- To achieve the best health outcomes possible, our human resources for health should have:
• Sufficient numbers
• Right mix of staff
SGB & CO.
Account for Accuracy & Reliability
- DOH efforts for the geographical disparity in the availability of health workers:
• Doctors to the Barrios (DTTB)
• Nurses Deployment Program (NDP formerly RN
HEALS)
• Rural Health Midwife Placement Program (RHMPP)
- Major employers:
• Doctors – 50% (public / private)
• Nurses – 61% (private)
• Midwives – 91% (public)
• Med tech – 53% (public)
• Allegedly computerized but still highly reliant on outdated paper and pen systems in the frontlines
• eFHSIS, PIDSR, SPEED, ClinicSys, PhilHealth Dashboard
■ Management’s philosophy
and operating style
■ Organizational structure
■ Assignment of authority
and responsibility
■ Independent checks on
performance
While healthcare organizations continue to mature in identifying and protecting physical property, intellectual
property, and data assets, a lack of preparedness for detecting and responding to cyberthreats persists. Detecting
cyberthreats requires significant investment in personnel and technology to support monitoring of networked
systems, which presents challenges to thinly stretched IT and security budgets. To complicate matters, the
healthcare industry is unique in the sense that it has to consider security events such as ransomware and
distributed denial of service (DDoS) as well as Health Insurance Portability and Accountability Act (HIPAA)
regulations, which require healthcare entities to also plan for violations of patient privacy and inappropriate access
to sensitive patient information. This combination increases the complexity of the detective capabilities and
incident response plans. Preparedness measures such as walk-throughs of response plans, tabletop exercises, and
disaster recovery tests require coordination and time from several groups beyond IT. The healthcare industry’s
high integration rate of mobile devices, cloud services, and network-connected biomedical devices further hinders
even the best efforts to monitor all systems and have proper response plans in place. It is easy to overlook the
costs of resources required to develop, maintain, and continually improve security detection and response
capabilities. Security incidents are, unfortunately, inevitable, and leadership is seeing the need to shift its focus to
developing strong detective and corrective processes and controls to support the protective controls already in
place.
Clinical quality
As more payment models shift from volume to value, many commercial payers are reimbursing based on quality,
following the lead of government payers. Federal and state regulators have required organizations to publicly
report quality measures and have tied quality to reimbursement through incentives, payment reduction, and
penalties. Healthcare organizations are facing increased risks related to not having processes in place to provide
and improve quality care, adversely affecting patient outcomes, cost of care, reputation, and financial performance
through pay-for-performance penalties.
The COVID-19 pandemic has highlighted the importance of strong processes and contingency plans to maintain
quality performance through catastrophic times. For example, healthcare organizations need to consider how they
will staff quality functions and other administrative responsibilities during an emergency, how they will deliver
the consistent application of important nurse-driven protocols (such as Foley removal), and how they will address
scope-of-practice issues as staff is redirected to other duties.
Physician alignment
Physician alignment risks have increased over recent years as physicians rapidly opt out of private practice. As
healthcare organizations contract with more and more physicians, it is critical that the organizations verify that
expectations and contract provisions are appropriate and complied with, without violating federal fraud and abuse
SGB & CO.
Account for Accuracy & Reliability
statutes (for example, Stark Law and anti-kickback laws). Health systems also increasingly have integrated the
operational and compliance risks related to physician practice management, including patient scheduling and
registration, patient billing, cash handling, prescription and medication management, coding, human resource
management, and information systems administration. Challenges still exist due to the geographic dispersion of
physician practices; for example, many are remote from the hospital campuses to which they are associated and,
therefore, might not be included within the day-to-day scope of work for all oversight functions including
compliance, IT security, and patient safety.
However, the most critical integration risks are strategic and longer term: physician alignment and engagement.
The increased efficiencies and coordination required by healthcare reform and new payment models cannot be
contracted into existence. Physician leadership is essential to increasing the quality of patient care, managing
health system costs, and successfully competing in the arena of patient consumerism and satisfaction. Clinical
champions must be identified and empowered to address emerging clinical risks, including effectively responding
to pandemics and combating the national opioid epidemic. The engagement required for such leadership is under
constant threat of clinician burnout due to increased workloads, loss of control, and ever-changing administrative
requirements.
Price transparency
While previous federal and state legislation has addressed healthcare price transparency for consumers, a new
Centers for Medicare & Medicaid Services (CMS) rule published Nov. 27, 2019, will make hospital requirements
more stringent. The “Price Transparency Requirements for Hospitals to Make Standard Charges Public” final rule
(85 Fed. Reg. 65524) will become effective Jan. 1, 2021. Under the final rule, hospitals will be required to capture
and publicly disclose significant amounts of information including gross charges, payer-specific negotiated rates,
cash prices for the many inpatient and outpatient items and services offered by each hospital, and Healthcare
Common Procedure Coding System codes. In addition, the final rule requires shoppable services (that is, services
that can be scheduled by a consumer in advance, such as a knee replacement) to be publicly disclosed as well.
Gathering and disseminating this information will be complex and require diligence and collaboration. Hospitals
might need to redesign current data collection processes, as robust data management and retrieval will be vital to
timely compliance. According to CMS, lack of price transparency is one cause of escalating healthcare costs, and
greater transparency is expected to encourage choice and competition, thereby lowing prices. The final rule
provides CMS with the authority to monitor, audit, and mandate corrective action plans. Compliance with price
transparency requirements presents a new reputational risk to hospitals as CMS is authorized to impose – and
publicize – civil monetary penalties of $300 per day for noncompliance.
of patient care, digital security, compliance, and reputation. Joint venture arrangements have become increasingly
complex in sharing of revenues and expenses; achieving performance and return on investment; and complying
with a broad spectrum of regulations, including HIPAA, Stark Law, antitrust, and the False Claims Act.
The owners of a joint venture should implement adequate oversight processes at both the owner level and the joint
venture level. Additionally, joint ventures should maintain effective monitoring controls such as having a board of
directors with broad business, technology, and clinical expertise; a compliance program; and an internal audit
function. Without these, healthcare organizations are vulnerable to financial loss, fines and penalties for
compliance violations, failure to achieve and sustain growth goals, and significant reputational and legal damages.
Telemedicine
As the threat of COVID-19 expanded, telehealth and telemedicine evolved from an optional convenience to an
absolute necessity in the span of a few weeks. This shift resulted in health systems scrambling to rapidly develop
existing platforms or build out new ones in order to continue treating patients. In implementing the technologies
and processes to support these initiatives, healthcare organizations also must implement strong controls for remote
service delivery and supporting technologies. These controls are necessary to address and adhere to clinical
standards (such as provider capabilities, credentialing, and standards of care), promote high-quality care,
minimize the risk of patient harm, and comply with regulatory requirements for privacy and patient data security.
Clinical documentation improvement, where outsourced and automated processes might not accurately direct
resources to the greatest opportunities
Utilization management, where ineffective work queue automation might cause patient accounts to fall through
the cracks.
Emergency department (ED) coding, where organizations might not always have visibility into the logic used to
assign ED levels.
While the Affordable Care Act (ACA) is considered by many to be established legislation, the U.S. Supreme
Court continues to hear challenges that could eliminate provisions beneficial to health systems. Because the
Trump administration, including the U.S. attorney general, is in agreement with ACA challengers and because the
Supreme Court leans conservative, it is again possible that the ACA will be struck down or significantly changed.
At the same time, the current period of economic uncertainty and high unemployment puts health systems at risk
SGB & CO.
Account for Accuracy & Reliability
from patients without health coverage or with less coverage due to the loss of employer-funded insurance.
Hospitals should continue to monitor their methodologies for net patient service revenue calculations and reserve
estimates during this time of great upheaval.
Furthermore, searching for additional tax revenues to recover from economic struggles, state and local
governments might continue to challenge not-for-profit health systems’ executive pay, community benefit
provided, and tax-exempt status.
Possible results of noncompliance with the many regulations faced by healthcare organizations include class-
action lawsuits and significant legal, regulatory, and financial consequences. And, even in cases in which the
government doesn’t take action, whistleblowers (often from within an organization) might be financially
rewarded using “qui tam” lawsuits to take action on the government’s behalf to recoup government funds under
the False Claims Act. Other common results of noncompliance include fines, reputational loss, and costly
corporate integrity agreements.
To avoid these risks, it is important that healthcare providers understand the federal government’s focus areas
relative to combating fraud, waste, and abuse, which can be accomplished through regular review of state and
federal regulator websites. For example, the Office of Inspector General’s (OIG) Work Plan is updated monthly
and made publicly available on the OIG website. Current OIG focus areas include inpatient hospital billing, CMS
oversight of nursing facility staffing levels, compliance with CMS transfer policies, billing of critical care service
levels, and use of condition codes. Although lengthy, the OIG Work Plan is organized by the date that each plan
item was announced or revised and provides the reader with a condensed, summarized list of current focus areas.
Conducting regular monitoring and independent audits based on the OIG Work Plan is a vital strategy in
proactively mitigating or detecting regulatory risk.
Health systems also should be proactive and undertake audits of physician transactions, care coordination
functions, billing, and claims coding. In addition to these audit areas, health systems should consider periodic
reviews of the effectiveness of their compliance programs, which help safeguard against regulatory and “qui tam”
legal action through providing means to report and take corrective action internally.
SGB & CO.
Account for Accuracy & Reliability
I. BRAINSTORMING CONFERENCE
Instructions: Members of the audit team are required to discuss the susceptibility of the Hospital’s financial
statements to material misstatement due to fraud or error. The discussion should include an open exchange of
ideas (brainstorming). The discussion should also emphasize the importance of exercising professional
skepticism throughout the audit. The discussion may occur prior to, or in conjunction with, other audit
planning procedures, but should take place each year. The manager should determine which matters are to be
communicated to members of the audit team not involved in the discussion.
If the audit is a Single Audit, completion of this procedure should include consideration of both the audit of the
financial statements and the federal awards.
Participants:
Name Title
SGB & CO.
Account for Accuracy & Reliability
1. Describe how the discussion occurred (e.g. face-to-face meeting, conference call).
3. Did information arise during the brainstorming meeting which may be relevant to identifying risks of material
misstatement due to fraud or error?
Yes (Document on Part IV)
No
Comments:
SGB & CO.
Account for Accuracy & Reliability
Instructions: Auditors are required to make inquiries of management and others about the risks of fraud.
Inquiries should be made each year in the planning stage of the audit. This form can be used to document the
auditor’s inquiries of management and other employees. Conducting one-on-one interviews with members of
management and other employees is the most appropriate way of accomplishing the objectives of the inquiry
process. Management interviewed should include, at a minimum, all those who sign the management
representation letter.
If the audit is a Single Audit, completion of this procedure should include consideration of both the audit of the
financial statements and the federal awards. Alternatively, the auditor may wish to complete separate forms.
(A separate form should be used for each person interviewed) A.
1. Inquire of the Hospital’s management about whether it is aware of (1) actual or suspected fraud or (2) any
allegations of fraud (e.g., communications from employees or others). Describe.
2. Inquire of the Hospital’s management about its understanding of the risks of fraud within the Hospital,
including any specific risks identified or account balances or transaction classes where fraud is likely to
occur. Describe.
3. Inquire of the Hospital’s management about the programs and controls it has established to mitigate fraud
risks and how it monitors such programs and controls. Describe.
SGB & CO.
Account for Accuracy & Reliability
4. Inquire of the Hospital’s management about the nature and extent of monitoring of operating locations,
where applicable, and whether there are particular units for which a risk of fraud may be more likely to
exist. Describe.
5. Inquire of the Hospital’s management about whether and how it communicates to employees its views on
business practices and ethical behavior. Describe.
6. Inquire of the Hospital’s management about whether it has reported to the audit committee, or its
equivalent, on how the Hospital’s internal control monitors the risks of material fraud. Describe.
7. Inquire of the Hospital’s management about their compliance with laws and regulations. Describe.
8. Inquire of the Hospital’s management about the existence of any agreements containing confidentiality
clauses. Describe.
9. Inquire as to whether the person being interviewed is aware of any abuse (i.e. misuse of authority,
unneeded overtime, requesting staff run personal errands, expensive procurements, etc.). Describe.
10. Inquire as to whether the person being interviewed is aware of any employees or officials with possible
financial pressures (i.e. gambling, excessive shopping, sudden medical expenses, lifestyle changes, etc.).
11. Did information arise from inquiries of management which should be considered further in identifying
risks of material misstatement due to fraud?
Yes (Document on Part IV)
No
Comments:
SGB & CO.
Account for Accuracy & Reliability
B. Others Interviewed:
Name Title
1. Inquire of others within the Hospital (others can include operating personnel not directly involved in
the financial reporting process, employees with different levels of authority, employees involved
with initiating, recording or processing complex or unusual transactions or in-house legal counsel)
about any actual fraud or suspected fraud. Describe.
2. Inquire as to whether the person being interviewed is aware of any abuse (i.e. misuse of authority,
unneeded overtime, requesting staff run personal errands, expensive procurements, etc.).
Describe.
3. Inquire as to whether the person being interviewed is aware of any employees or officials with
possible financial pressures (i.e. gambling, excessive shopping, sudden medical expenses,
lifestyle changes, etc.).
4. Did information arise from inquiries of others which should be considered further in identifying risks
of material misstatement due to fraud?
Yes (Document on Part IV)
No
Comments:
Name Title
1. Inquire of individuals involved in the financial reporting process about inappropriate or unusual
activity relating to the processing of journal entries and other adjustments. Describe.
2. Did information arise from inquiries of others which should be considered further in identifying risks
of material misstatement due to fraud?
Yes (Document on Part IV)
No
Comments:
Name Title
1. Where applicable, inquire of the audit committee or its equivalent, or at least its chair, about (1) its
views about the risks of fraud, (2) whether it has knowledge of any actual fraud or suspected
fraud and (3) how it exercises its oversight of the Hospital’s assessment of risks of fraud and the
programs and controls the Hospital has adopted to mitigate those risks. Describe.
2. Did information arise from inquiries of audit committee or equivalent personnel which should be
considered further in identifying risks of material misstatement due to fraud?
SGB & CO.
Account for Accuracy & Reliability
No
Comments:
Name Title
1. Where applicable, inquire of internal audit personnel about (1) their views of the risks of fraud, (2)
any procedures they performed to identify or detect fraud during the period under audit, (3)
management’s response to the findings and (4) whether they have knowledge of any actual fraud
or suspected fraud. Describe.
2. Did information arise from inquiries of internal audit personnel which should be considered further
in identifying risks of material misstatement due to fraud?
Yes (Document on Part IV)
No
Comments:
SGB & CO.
Account for Accuracy & Reliability
C. Attitudes/Rationalizations
1. Were there numerous significant audit adjustments in prior
periods?
2. Is there an excessive interest by management to meet
performance targets through the use of unusually aggressive
accounting practices?
3. Has management failed to effectively communicate and
support the Hospital’s values or ethics?
4. Has management failed to effectively communicate
inappropriate business practices or ethics?
5. Has management failed to correct known significant
deficiencies or material weaknesses in internal control on a
timely basis?
6. Has management displayed a significant disregard for
regulatory requirements, including, when applicable, federal
and state award compliance requirements?
7. Does management have a poor reputation?
8. Does management have a history of violating laws,
regulations, debt covenants, contractual obligations or federal
and state award compliance requirements?
9. Do non-financial management or personnel excessively
participate in the determination of significant estimates or
selection of accounting principles?
10. Are there frequent disputes on accounting, auditing or
reporting matters between management and the current or
predecessor auditor?
11. Has management made unreasonable demands on the auditor,
such as unreasonable time constraints on completion of the
audit or an excessive emphasis on reducing the audit fee?
12. Has management placed restrictions on the auditor (formal or
informal) that inappropriately limit access to people or
information or inappropriately limit communication with the
governing body or audit committee?
13. Has management failed to respond to specific inquiries or to
volunteer information regarding significant or unusual
transactions?
SGB & CO.
Account for Accuracy & Reliability
Do conditions exist which indicate there may be incentives/pressures, opportunities or attitudes /rationalizations
for management to intentionally misstate the financial statements?
Yes (Document on Part IV)
No
Comments:
SGB & CO.
Account for Accuracy & Reliability
oversight)?
10. Does the Hospital lack an appropriate system for
authorizing and approving transactions (for example, in
purchasing or payroll disbursements)?
11. Are there poor physical safeguards over assets susceptible to
misappropriation (for example, inventory not stored in a
secured area, cash or investments kept in unlocked
drawers, etc.)?
12. Is there a lack of timely and
appropriate documentation for transactions affecting
assets susceptible to misappropriation?
13. Is there a lack of mandatory vacations for employees in key
control functions?
14. Does management have an inadequate understanding of
information technology which enables IT employees to
perpetrate a misappropriation?
15. Are access controls over automated
records inadequate (including controls over, and
review of, computer system event logs)?
C. Attitudes/Rationalizations
1. Do employees who have access to assets susceptible to
misappropriation show:
a. Disregard for the need for monitoring or reducing
risks related to misappropriation of assets?
b. Disregard for internal control over misappropriation
of assets by overriding existing controls?
c. Disregard for internal control over misappropriation
of assets by failing to correct known internal control
deficiencies?
2. Do employees who have access to assets susceptible to
misappropriation exhibit behavior indicating displeasure or
dissatisfaction with the Hospital or its treatment of its
employees?
3. Have you observed any unusual or unexplained changes in
behavior or lifestyle of employees who have access to
assets susceptible to misappropriation?
No
Comments:
List any additional fraud factors or conditions identified as being present. Additional factors may have been
identified through inquiry of management in the entrance conference. Also, document any compensating
controls.
If improper revenue recognition was not identified as a risk of material misstatement due to fraud, describe the
reasons regarding how that presumption was overcome.
SGB & CO.
Account for Accuracy & Reliability
The way the auditor responds to the risks identified during the risk assessment process depends on the nature
and significance of the risks identified and on the Hospital’s programs and controls to address such risks.
The auditor should take into account the various risk assessment procedures performed, including
preliminary analytical procedures, brainstorming session, information obtained about the Hospital and its
environment, including internal controls, fraud risk considerations and any other sources providing
information about relevant risks. For single audits, the auditor should consider the risk noncompliance may
cause the financial statements to contain a material misstatement. Auditors respond to the results of the risk
assessment in three ways: (1) an overall response as to how the audit is conducted, (2) specific responses
involving modification of the nature, timing and extent of procedures to be performed and (3) responses to
further address the fraud risk of management override of controls.
1. Overall response to financial statement risks – Describe overall risks at the financial statement
level that may affect many assertions and the planned response to identified risks. Examples
of overall risks include weaknesses in the control environment, changes in management,
motivation by management to fraudulently misstate the financial statements, etc. Appropriate
responses may include (1) assignment of personnel and supervision, (2) scrutiny of
management’s selection and application of significant accounting principles and (3) including
an element of unpredictability in audit procedures and tests.
2. Specific responses to risks – If any risks are considered significant, the risk and the auditor’s
response to the risk should be included in the risk assessment summary form. For less
significant risks, describe your specific responses, if any, to identified risks, including
modification of the nature, timing and extent of audit procedures.
See audit program steps W and Y on audit program section Completion of Audit
In-charge
Manager Date
Independent
Reviewer Date
SGB & CO.
Account for Accuracy & Reliability
Inherent Risk
MAT. MAJ.
BAL. PROG Over TOC Allowable
ACCOUNT BALANCE/
CLASS OF TRANSACTION (y/n) (y/n) High Mod Low All CR (y/n) RMM DR
Cash
Investments
Taxes Receivable
Accounts Receivable
Deferred Outflows of
Resources
Prepaid Expense
Inventories
Capital Assets
Accounts Payable
Other Liabilities
Compensated Absences
Other:
SGB & CO.
Account for Accuracy & Reliability
Inherent Risk
MAT. MAJ.
BAL. PROG Over TOC Allowable
ACCOUNT BALANCE/
CLASS OF TRANSACTION (y/n) (y/n) High Mod Low All CR (y/n) RMM DR
Statement of Activities/
Statement of Revenues,
Expenditures and
Changes in Fund
Balances
Property Tax
Revenue - Intergovernmental
Revenue – Proprietary
Other Revenue
Expenditures
Expenditures -
Procurement/Credit Cards
Payroll
Transfers
Depreciation
Financial Reporting
(Presentation and Disclosure)
Other:
SGB & CO.
Account for Accuracy & Reliability
Cash
Investments
Taxes Receivable
Accounts Receivable
Prepaid Expense
Inventories
Capital Assets
Accounts Payable
Other Liabilities
Compensated Absences
SGB & CO.
Account for Accuracy & Reliability
Other:
Statement of Activities/
Statement of Revenues,
Expenditures and Changes in
Fund Balances
Property Tax
Revenue - Intergovernmental
Revenue – Proprietary
Other Revenue
Expenditures
Expenditures -
Procurement/Credit Cards
Payroll
Transfers
SGB & CO.
Account for Accuracy & Reliability
Depreciation
Financial Reporting
(Presentation and
Disclosure)
Other:
SGB & CO.
Account for Accuracy & Reliability
Rating
Needs
General Assessment
Improveme nt Comments
Inadequate Adequate
(0) (+1) Use additional sheets if necessary
(-1)
1. Control Environment
a. There is a clear set of standards for internal control. Gap(s) & Action:
d. The code of ethics includes requirements of top management and senior staff to Due Date:
disclose gifts, outside interests, personal financial interests, outside positions, and
other potential conflicts.
e. The code of ethics is being followed by staff, and includes disclosure by top
management and senior staff.
f. Management and staff exhibit a supportive attitude toward internal control at all
times throughout the organization, including dedicating qualified full-time staff to
this function; issuing, updating, and communicating necessary policies and
procedures on a regular basis; and recognizing compliance as an element of annual
performance.
Rating
Needs
General Assessment
Improveme nt Comments
Inadequate Adequate
(0) (+1) Use additional sheets if necessary
(-1)
I. Human resources policies and practices are supportive. For instance, recruitment,
performance appraisal, and promotion processes are based on merit.
2. Risk Assessment
c. Internal audit reviews these risks and controls as part of the annual audit program.
Due Date:
3. Control Activities
SGB & CO.
Account for Accuracy & Reliability
a. In general, control activities occur throughout the organization, at all levels and in all
functions. They include a range of detective and preventive control activities such as
authorization and approval procedures; segregation of duties (authorizing,
processing, recording, reviewing); controls over access to resources and records;
verifications; reconciliations; reviews of operating performance; reviews of
operations, processes, and activities; and supervision (assigning, reviewing and
approving, guidance, and training).
b. Ministry of Health has its own financial policies and procedures implementing those Gap(s) & Actions:
of the Ministry of Finance.
c. Ministry adheres to Ministry of Finance and Ministry of Health financial policies and
procedures.
SGB & CO.
Account for Accuracy & Reliability
Rating
Needs
General Assessment
Improveme nt Comments
Inadequate Adequate
(0) (+1) Use additional sheets if necessary
(-1)
d. Effective financial accounting system and controls are in place. Person Responsible:
h. There are opportunities for stakeholders to review and comment on budgets before
they are finalized.
i. Policy costs are estimated and forecast properly for future years.
j. The budget document includes activity statistics and performance information on the
effectiveness of existing programs.
p. System software controls limit and monitor access to programs and sensitive files that
control the computer hardware and secure applications.
Rating
Needs
General Assessment
Improveme nt Comments
Inadequate Adequate
(0) (+1) Use additional sheets if necessary
(-1)
b. Recording covers the entire process or life cycle of a transaction or event. Gaps & Actions:
c. Information is organized, categorized, and formatted such that reports, schedules, and Responsible Person:
financial statements can be prepared.
Due Date:
f. The internal control system and all transactions and significant events are fully and
clearly documented (e.g., flow charts and narratives) and readily available for
examination. (Extent is appropriate to the organization’s size and complexity.)
Rating
Needs
General Assessment
Improveme nt Comments
Inadequate Adequate
(0) (+1) Use additional sheets if necessary
(-1)
5. Monitoring
b. Ongoing monitoring activities cover each of the internal control components and
involve action against irregular, unethical, uneconomical, inefficient, and ineffective
internal control systems.
c. The monitoring process reacts dynamically to changing conditions through regular Gap(s) & Actions:
updates to policies and procedures communicated to staff.
d. Decisions on the scope and frequency of separate evaluations (such as this self-
Person Responsible:
assessment) are based primarily on the assessment of risks and the effectiveness of
ongoing monitoring procedures.
e. When making this determination, the organization considers the nature and degree of Due Date:
changes, from both internal and external events, and their associated risks; the
competence and experience of the personnel implementing risk responses and related
controls; and the results of ongoing monitoring.
f.. Specific separate evaluations cover the evaluation of the effectiveness of the internal
control system and ensure that internal control achieves the desired results.
g. All deficiencies found during ongoing monitoring or through separate evaluations are
communicated to those positioned to take necessary action.
SGB & CO.
Account for Accuracy & Reliability
i. Monitoring internal control includes policies and procedures aimed at ensuring that
the findings of audits and other reviews are adequately and promptly resolved.
SGB & CO.
Account for Accuracy & Reliability
Monitoring Activities
16. How is coverage within each overall risk area (admissions, quality assurance, coding, charge
master, patient accounting, cost reporting, purchasing, employment/provider credentialing,
physician contracting) determined and coordinated?
17. Who is responsible for performing monitoring reviews? Describe the scope of monitoring
reviews.
18. Are any diagnostic techniques employed (e.g., profiling, denial rates)? Who performs these
analyses? Describe.
19. When charges are examined, are billing samples drawn from all bills or only federal payers?
21. What is the typical sample size and what is the sampling unit (bill, or line item of service)?
23. Does the Compliance Office assure that errors are corrected?
Reporting
24. Are written reports prepared of monitoring reviews conducted?
25. Are conclusions clearly expressed, recommendations documented, and action plans offered by
auditee?
26. Are reports distributed to the Compliance Committee? Describe distribution protocol.
27. Is there any tabulation of cumulative report findings, common deficiencies, refunds triggered etc.,
and are these summaries provided to the Compliance Committee? Describe contents and
distribution.
28. Is a management response required? Please describe protocol for resolution of identified issues.
1. Please provide the following to the extent that they are available:
a. Mission statement or vision statement
b. Organizational chart
c. Current delegations of authority or responsibility
d. Most recent job descriptions for key management positions
e. Strategic planning documents
f. Chart of financial accounts
g. List of regularly prepared management reports (financial and/or programmatic)
h. List of key departmental contacts for major departmental activities
2. Please describe any significant changes to departmental operations in the last three years. For
example, please list any turnover in key positions; changes to policies, processes, or
procedures; new information systems; new or revised compliance requirements; etc.
SGB & CO.
Account for Accuracy & Reliability
3. Please describe department management's processes or approaches for evaluating the status of
current operations. If the various approaches include any formal risk assessment process,
please describe the process in detail and corresponding reporting, if any.
4. Do you have any concerns with regard to the current state of departmental activities? If so,
what are they? If not, what departmental operations should be considered for selection as the
focus or scope of the current review in your opinion?
5. Have any departmental operations been the subject of review by any outside party (e.g.,
Office of the President, peer review, independent consultants, regulatory agencies, etc.)? If so,
please provide the results of the review(s).
Financial Objectives
1. Please describe departmental budget processes, including departmental funds, and capital
funds. Please also describe departmental processes and responsibilities for monitoring
budget variances (actual financial results versus financial budgets).
2. What financial reports are prepared regularly and with what frequency? Who prepares the
financial reports, and to whom are they distributed?
3. How are collections and accounts receivable balances summarized and transferred to the
financial system? What system interfaces are involved?
4. Please describe the process for identifying and transferring accounts to the outside
collection agency. How are collection agency accounts monitored?
Compliance Objectives
1. Please explain your processes for promoting and ensuring compliance with various
requirements, e.g., DOH, other health plan contracts and internal policies and procedures
2. Are there any prescribed processes for monitoring the level of compliance with specific
requirements, and reporting internally discovered instances of non-compliance? If so, please
describe the processes.
3. In your opinion, are there any specific policies, procedures, rules, or regulations that are not
consistently observed? If so, please explain the requirement, and estimate the level of
compliance (or non-compliance) and its impact.
Operational Objectives
1. Please describe your core business processes for the following:
a. Admissions and Registration
b. Charge capture systems and processes
c. Charge Master maintenance
d. Diagnostic and Procedural coding
SGB & CO.
Account for Accuracy & Reliability
7. Regarding cash deposit and co-payment collection, please answer the following:
a. Please provide a list of the primary locations that collect patient co-payments and
cash deposits.
b. How does staff in those locations know when a patient payment is due? Can services
be provided if a patient is not prepared to make a co-payment or deposit?
c. How does management ensure that cashiering functions comply with BUS 49
standards?
8. Regarding claims preparation, edit and transmission processes, please answer the following:
a. Describe how claims are compiled in the billing system. Please include information
relative to claims cycle time and criteria for distributing responsibility for claim
preparation and editing among the staff?
b. Describe the claim edit criteria and accountability structure. Is the criteria
documented? Have billing compliance regulations been included in edit criteria?
i. Are claims transmission standards fully compliance with HIPAA? Are all
clearinghouses and other transmission strategies compliant with HIPAA
standards?
ii. Are batch or control totals used to ensure that electronic files are complete when
received by other systems?
9. Regarding accounts receivable management, please answer the following:
a. How is the responsibility for accounts receivable management divided among the
billing supervisors and staff?
b. What reports are generated by the billing system to assist the staff with achieving
production goals? How often are they revised?
c. What manual and system resources are available to staff to assist with answering
questions about payor requirements or claim information?
d. Describe the health plan contract management process.
10. Regarding credit balance resolution, please answer the following:
a. Who is primarily responsible for resolving credit balances?
b. What criteria are used to prioritize which credits to work?
c. What industry benchmarks are available to compare the results of local credit balance
management with other institutions?
d. How are refunds processed?
11. Please describe any operational activities that, in your opinion, could be improved.
Specifically, what would be changed, and what would be the resulting benefit. Has the idea
been discussed internally and, if so, what was the result? If not, why?
1. Please provide the name and version of the information system used for the following. Please
also note whether applications are manual or electronic, and what system they run on.
a. Charge Capture/Abstracting
b. Primary hospital billing and receivables system
SGB & CO.
Account for Accuracy & Reliability
PSA 265 “Communicating Deficiencies in Internal Control with Those Charged with
Governance and Management”
Introduction
Scope of the PSA
1. The Philippine Standards on Auditing (PSA) deals with the auditor’s responsibility to
communicate appropriately to those charged with governance and management deficiencies in
Internal Control that the auditor has identified in the audit of the financial statement. This
PSA does not impose additional responsibilities on the auditor regarding obtaining and
understanding of internal control, designing and performing tests of controls over and above
the requirements of PSA 315 and PSA 330. Moreover, PSA 265 establishes requirements
regarding the auditor’s responsibility to communicate with those charged with governance in
relation to the audit.
2. The auditor may identify deficiencies in Internal Control not only during the risk assessment
processes but also on other stages of audit. This PSA specifies which identified deficiencies
SGB & CO.
Account for Accuracy & Reliability
Objective
3. The auditor is tasked to communicate appropriately to those charged with governance and
management any deficiencies in internal control that the auditor has identified during the
audit and are of sufficient importance to meet their respective attention, based on his
professional judgment.