Specialized Industry Hospital

SGB & CO.
Account for Accuracy & Reliability
SGB & CO.

Consideration of
Internal Control
SGB & CO.
AUDITOR’S CONSIDERATION OF INTERNAL CONTROL:
Auditors are not responsible for establishing and maintaining an entity’s internal control systems, however,
auditors should still give adequate consideration to these controls because the quality of the entity’s internal
control systems can have a significant impact on the audit.
Considering internal control involves the study and evaluation of the internal control of an entity which help
provide a basis for planning the audit to determine the nature, timing, and extent of audit procedures. This also
provide a basis for constructive suggestions to management about improvements in internal control structure.
The steps involved in consideration of internal control are as follows:
1) Obtain sufficient understanding of the internal control relevant to the audit
- In all audits, the auditor should obtain an understanding of internal control sufficient to plan the audit by
performing procedures to understand the design of controls relevant to an audit of financial statements and
determining whether they have been placed in operation. In obtaining this understanding, the auditor considers
how an entity’s use of information technology (IT) and manual procedures may affect controls relevant to the
audit.
2) Perform preliminary assessment of control risk.
- The auditor then assesses control risk for the relevant assertions embodied in the account balance, transaction
class, and disclosure components of the financial statements. Regardless of the assessed level of control risk,
the auditor should perform substantive procedures for all relevant assertions related to all significant accounts
and disclosures in the financial statements.
3) Perform tests of controls
- The auditor may determine that assessing control risk below the maximum level for certain assertions would
be effective and more efficient than performing only substantive tests. In addition, the auditor may determine
that it is not practical or possible to restrict detection risk to an acceptable level by performing only substantive
tests for one or more financial statement assertions. In such circumstances, the auditor should obtain evidential
matter about the effectiveness of both the design and operation of controls to reduce the assessed level of
control risk. Such evidential matter may be obtained from tests of controls planned and performed concurrent
with or subsequent to obtaining the understanding. Such evidential matter also may be obtained from
procedures that were not specifically planned as tests of controls but that nevertheless provide evidential matter
about the effectiveness of the design and operation of the controls. For certain assertions, the auditor may desire
to further reduce the assessed level of control risk. In such cases, the auditor considers whether evidential
matter sufficient to support a further reduction is likely to be available and whether performing additional tests
of controls to obtain such evidential matter would be efficient.
Alternatively, the auditor may assess control risk at the maximum level because he or she believes controls are
unlikely to pertain to an assertion or are unlikely to be effective, or because evaluating the effectiveness of
controls would be inefficient. However, the auditor needs to be satisfied that performing only substantive tests
would be effective in restricting detection risk to an acceptable level. When evidence of an entity’s initiation,
recording, or processing of financial data exists only in electronic form, the auditor’s ability to obtain the
desired assurance only from substantive tests would significantly diminish.
The auditor uses the understanding of internal control and the assessed level of control risk in determining the
nature, timing, and extent of substantive tests for financial statement assertions.
SGB & CO.
INDUSTRY BASIC OPERATIONAL MODEL:
The World Health Organization (WHO) consists of all organizations, people and actions whose primary interest is
to promote, restore, or maintain health. Their outcomes and goals include improving health and health equity
through ways that are: responsive, financially fair, and best or most efficient use of available resources and greater
access to and coverage for effective health interventions.
WHO has developed its health systems framework which is composed of six building blocks that, when taken
together, (a) gives a picture of the state of health care system in a country, and (b) help achieve the intended goals
and outcomes.
Figure 1. WHO health systems framework
Philippine Health Care System

Health is a basic human right guaranteed by the Philippine Constitution of 1987. Philippine health care delivery
system is a complex set of organizations interacting to provide an array of health services. This is provided
through a dual health delivery system composed of the public sector and the private sector.
The public sector is largely financed through a tax-based budgeting system, where health services are delivered by
government facilities under the national and local governments. The Department of Health (DOH) supervises the
government corporate hospitals, specialty and regional hospitals, while the Department of National Defense runs
the military hospitals. At the local level, the provincial governments manage and operate district and provincial
hospitals, while municipal governments provide primary care, including preventive and promotive health services
and other public health programmes through the rural health units, health centers and barangay health stations.
Highly urbanized and independent cities provide both hospital services and primary care services.
The private sector, consisting of for-profit and non-profit health-care providers, is largely market oriented, where
health care is generally paid for through user fees at the point of service.
SGB & CO.
Figure 2. Philippine Health Care Delivery System
The six building blocks of the health systems framework by WHO in Philippine Scenario
1) Leadership and governance
- As the national technical authority on health, the DOH provides national policy direction and strategic
plans, regulatory services, standards and guidelines for health, and highly specialized and specific tertiary-
level hospital services. It provides leadership, technical assistance, capacity building, linkages and
coordination with other national government agencies, LGUs and private entities in implementing health
policies. The LGUs, i.e. provincial, city and municipal governments, on the other hand, are responsible for
managing and implementing local health programmes and services. A local health board chaired by the local
chief executive (governor or mayor) serves as an advisory body to the local chief executives and the local
legislative council members (sanggunian) on the local health system, while the DOH Regional Health Office
is represented by either a DOH representative or Development Management Officer under the DOH
Provincial Health Team.
In Mindanao, a distinct subnational entity called the Autonomous Region in Muslim Mindanao (ARMM)
was created by Republic Act No. 6734, as amended by Republic Act No. 9054. ARMM consists of five
provinces and has its own regional Department of Health that is directly responsible to the ARMM Regional
Governor. It directly administers the provincial, city and municipal health offices, and the provincial and
district hospitals within the autonomous region.
SGB & CO.
2) Health and health care financing

Characteristics:
1. Raises adequate funds for health to ensure that people get to use needed services
2. People who use health services are shielded from financial catastrophe or impoverishment associated
with having to pay for them
Health financing goals:
• Raising sufficient funds for health
• Ensure adequate spending on health
• Effective allocation of finite financial resources to different types of public and personal health services
• Pooling financial resources across population groups and sharing financial risks
• Using funds for health efficiently and equitably
3) Health workforce
- To achieve the best health outcomes possible, our human resources for health should have:
• Sufficient numbers
• Right mix of staff
SGB & CO.
• System-wide deployment and distribution (equitable)

• Established job-related norms
• Enabling work environments
• Just compensation/payment systems – right kind of incentives
- DOH efforts for the geographical disparity in the availability of health workers:
• Doctors to the Barrios (DTTB)
• Nurses Deployment Program (NDP formerly RN HEALS)
• Rural Health Midwife Placement Program (RHMPP)
- Major employers:
• Doctors – 50% (public / private)
• Nurses – 61% (private)
• Midwives – 91% (public)
• Med tech – 53% (public)
- Market Oriented Brain Drain phenomenon:

• 70% of those who stay are employed in the private sector
serving only 30% of the population
• 30% are in the public sector catering to the majority
- Largest categories of HRH: midwives and nurses

• Many newly licensed nurses are unable to find employment
• When they do, they do not work as RNs
• There is underproduction in other categories such as doctors, dentists, med techs, etc.
4) Access to medicine and technology

- Ensure equitable access to:
• Essential medical products
• Effective, Safe, Cheap Medicines
• Vaccines
• Affordable and readily available Medical Technologies
SGB & CO.
- Scenarios and challenges

• Supply-driven distribution scheme (PHAP 2008, WHO 2011)
• Drugstores – 80.1%
• Hospitals – 9.7% (gov’t at 2.3%)
• Others – 10.2% (including government agencies at 0.3%)
• Strong market orientation
• Generics Act/Law since 1988 but compliance to it is still an issue
• Generally lax regulation with strong pharmaceutical / nutritiutical company lobbying influence (FDA lead
agency)
• Major Constraints in Accessing Essential Drugs (DOH 2008): Limited availability, irrational use, high
costs
• Effect of Devolution:
• LGUs left to budget for medicines
• Result: great variability among access to such, particularly basic meds across the country’s LGUs
5) Health information and research

• Reliable and timely Health Information
Measures:
• Health determinants
• Health systems performance
• Health status
• A good system is one where Health Information is: produced, analyzed, disseminated, and used.
• Health information is a national asset and used by policy-makers, planners, health care providers,
development partners, and the general public
• Uses: Track health system performance, support better health policies, and make effective health related
decisions
- Challenges on health information
• Poor integration and weak governance of national and local health information systems (Marcelo, 2005)
• Telecom infrastructure mostly concentrated in urban centers
• Unclear considerations for the role of IT in primary health care in the Philippines
• Lack of IT governance structures (standards, etc.)
• Existing DOH Information Gathering Systems
SGB & CO.
• Allegedly computerized but still highly reliant on outdated paper and pen systems in the frontlines
• eFHSIS, PIDSR, SPEED, ClinicSys, PhilHealth Dashboard
6) Health service delivery

- Qualities of good health services
• Deliver effective, safe and quality health interventions to those who need them; when and where needed,
with minimum waste of resources
• All services dealing with disease diagnosis and treatment
• All services for the promotion, maintenance and restoration of health • Both personal and non- personal
services
- Key elements
• Organizing health services as networks of primary care backed up by hospitals and specialized care
• Providing a package of health benefits with clinical and public health interventions
• Ensuring access and quality of services
• Holding providers accountable for access and quality and ensuring consumer voice
- Health service delivery In the Philippines
1) Public Sector
• Financed through taxes
• Budgeting system is done at the local AND national level
• Health care service is ideally “free” at point of care
2) Private Sector
• Profit and non-profit providers
• Usually market-driven
• Services are often not-free: OOP schemes, insurance / HMOs, External funding / grants
• May not necessarily be needs-based. Often abused/misused
SGB & CO.
COMPONENTS OF INTERNAL CONTROL

Internal control consists of five interrelated components:
1. Control environment;
2. Risk assessment process;
3. The information system, communication, and related business processes;
4. Control procedures;
5. Monitoring of controls.
The table below shows more details about each components including their descriptions and corresponding
specific elements.
Components of Internal Control Structure
Components Description of component Component elements
Control environment Actions, policies and ■ Integrity and ethical values

procedures that reflect the
■ Commitment to
overall attitude of top
competence
management, directors, and
owners of an entity about ■ Those charged with
controls and its importance governance (board of
directors or audit committee)
■ Management’s philosophy
and operating style
■ Organizational structure
■ Assignment of authority
and responsibility
■ Human resource polices

and practice
Management’s risk Management’s identification Management’s assertions:

assessment and analysis of risks relevant existence, completeness,
to the preparation of financial valuation, presentation and
SGB & CO.
statements in accordance disclosure, measurement,

with IFRS occurrence
Accounting information Methods used to identify, Transaction-related audit

systems and communication assemble, classify, record, objectives: existence,
and report an entity’s completeness, accuracy,
transactions and to maintain classification, timing,
accountability for related posting, and summarization
assets
Control activities (control Policies and procedures that ■ Adequate segregation of

procedures) management established to duties
meet its objectives for
■ Proper authorization of
financial reporting
transactions and activities
(specific computer controls)
■ Adequate documents and

records (general computer
controls)
■ Physical control over

assets and records
■ Independent checks on
performance
Monitoring Management’s ongoing and Not applicable

periodic assessment of the
effectiveness of the design
and operation of an internal
control structure to determine
if it is operating as intended
and modified when needed
SGB & CO.
CONDITIONS THAT INCREASED RISK IN

HOSPITAL INDUSTRY
Cybersecurity
As technology-enabled care and communication with patients grows, cybersecurity continues to be a top concern
for healthcare executives, audit committees, and boards. Well-established guidance for cybersecurity programs
focuses on identifying information assets and related cyber risks, applying protective controls, detecting and
responding to security threats, and recovering from incidents that occur. Regulations and continual breach reports
have demonstrated to healthcare organizations the importance of cybersecurity, and many organizations have been
taking steps to perform the necessary risk assessment activities and implement robust preventive controls.
While healthcare organizations continue to mature in identifying and protecting physical property, intellectual
property, and data assets, a lack of preparedness for detecting and responding to cyberthreats persists. Detecting
cyberthreats requires significant investment in personnel and technology to support monitoring of networked
systems, which presents challenges to thinly stretched IT and security budgets. To complicate matters, the
healthcare industry is unique in the sense that it has to consider security events such as ransomware and
distributed denial of service (DDoS) as well as Health Insurance Portability and Accountability Act (HIPAA)
regulations, which require healthcare entities to also plan for violations of patient privacy and inappropriate access
to sensitive patient information. This combination increases the complexity of the detective capabilities and
incident response plans. Preparedness measures such as walk-throughs of response plans, tabletop exercises, and
disaster recovery tests require coordination and time from several groups beyond IT. The healthcare industry’s
high integration rate of mobile devices, cloud services, and network-connected biomedical devices further hinders
even the best efforts to monitor all systems and have proper response plans in place. It is easy to overlook the
costs of resources required to develop, maintain, and continually improve security detection and response
capabilities. Security incidents are, unfortunately, inevitable, and leadership is seeing the need to shift its focus to
developing strong detective and corrective processes and controls to support the protective controls already in
place.
Clinical quality
As more payment models shift from volume to value, many commercial payers are reimbursing based on quality,
following the lead of government payers. Federal and state regulators have required organizations to publicly
report quality measures and have tied quality to reimbursement through incentives, payment reduction, and
penalties. Healthcare organizations are facing increased risks related to not having processes in place to provide
and improve quality care, adversely affecting patient outcomes, cost of care, reputation, and financial performance
through pay-for-performance penalties.
The COVID-19 pandemic has highlighted the importance of strong processes and contingency plans to maintain
quality performance through catastrophic times. For example, healthcare organizations need to consider how they
will staff quality functions and other administrative responsibilities during an emergency, how they will deliver
the consistent application of important nurse-driven protocols (such as Foley removal), and how they will address
scope-of-practice issues as staff is redirected to other duties.
Physician alignment
Physician alignment risks have increased over recent years as physicians rapidly opt out of private practice. As
healthcare organizations contract with more and more physicians, it is critical that the organizations verify that
expectations and contract provisions are appropriate and complied with, without violating federal fraud and abuse
SGB & CO.
statutes (for example, Stark Law and anti-kickback laws). Health systems also increasingly have integrated the
operational and compliance risks related to physician practice management, including patient scheduling and
registration, patient billing, cash handling, prescription and medication management, coding, human resource
management, and information systems administration. Challenges still exist due to the geographic dispersion of
physician practices; for example, many are remote from the hospital campuses to which they are associated and,
therefore, might not be included within the day-to-day scope of work for all oversight functions including
compliance, IT security, and patient safety.
However, the most critical integration risks are strategic and longer term: physician alignment and engagement.
The increased efficiencies and coordination required by healthcare reform and new payment models cannot be
contracted into existence. Physician leadership is essential to increasing the quality of patient care, managing
health system costs, and successfully competing in the arena of patient consumerism and satisfaction. Clinical
champions must be identified and empowered to address emerging clinical risks, including effectively responding
to pandemics and combating the national opioid epidemic. The engagement required for such leadership is under
constant threat of clinician burnout due to increased workloads, loss of control, and ever-changing administrative
requirements.
Price transparency
While previous federal and state legislation has addressed healthcare price transparency for consumers, a new
Centers for Medicare & Medicaid Services (CMS) rule published Nov. 27, 2019, will make hospital requirements
more stringent. The “Price Transparency Requirements for Hospitals to Make Standard Charges Public” final rule
(85 Fed. Reg. 65524) will become effective Jan. 1, 2021. Under the final rule, hospitals will be required to capture
and publicly disclose significant amounts of information including gross charges, payer-specific negotiated rates,
cash prices for the many inpatient and outpatient items and services offered by each hospital, and Healthcare
Common Procedure Coding System codes. In addition, the final rule requires shoppable services (that is, services
that can be scheduled by a consumer in advance, such as a knee replacement) to be publicly disclosed as well.
Gathering and disseminating this information will be complex and require diligence and collaboration. Hospitals
might need to redesign current data collection processes, as robust data management and retrieval will be vital to
timely compliance. According to CMS, lack of price transparency is one cause of escalating healthcare costs, and
greater transparency is expected to encourage choice and competition, thereby lowing prices. The final rule
provides CMS with the authority to monitor, audit, and mandate corrective action plans. Compliance with price
transparency requirements presents a new reputational risk to hospitals as CMS is authorized to impose – and
publicize – civil monetary penalties of $300 per day for noncompliance.
Third-party vendor management

Healthcare organizations routinely rely on third-party vendors to enable mission-critical services, which in turn
can increase business exposures. Because third-party vendors often have access to the hospital facility and
hospital data as well as direct access to patients, compliance, patient safety, and regulatory risks can be significant.
Failure by third parties to comply with federal, state, and local laws can have immediate and devastating negative
financial, legal, and reputational results. Risks related to use of third parties for core services must be considered
carefully before contracts are signed, and they must be managed throughout the vendor relationship. A thorough
vendor management program with ongoing monitoring of third parties (including pricing compliance, quality of
service, background checks of vendor employees, and IT security) is critical to mitigate these risks.
Joint venture management and oversight

In recent years, health system growth has been defined through partnership and affiliation in the delivery of
services. Joint venture relationships commonly are used as financial vehicles to operate across an expanded
spectrum of care, obtain access to improved technology, and serve a greater community. While many people look
at joint ventures from a financial perspective, risks in this area are not just financial but also related to all aspects
SGB & CO.
of patient care, digital security, compliance, and reputation. Joint venture arrangements have become increasingly
complex in sharing of revenues and expenses; achieving performance and return on investment; and complying
with a broad spectrum of regulations, including HIPAA, Stark Law, antitrust, and the False Claims Act.
The owners of a joint venture should implement adequate oversight processes at both the owner level and the joint
venture level. Additionally, joint ventures should maintain effective monitoring controls such as having a board of
directors with broad business, technology, and clinical expertise; a compliance program; and an internal audit
function. Without these, healthcare organizations are vulnerable to financial loss, fines and penalties for
compliance violations, failure to achieve and sustain growth goals, and significant reputational and legal damages.
Telemedicine
As the threat of COVID-19 expanded, telehealth and telemedicine evolved from an optional convenience to an
absolute necessity in the span of a few weeks. This shift resulted in health systems scrambling to rapidly develop
existing platforms or build out new ones in order to continue treating patients. In implementing the technologies
and processes to support these initiatives, healthcare organizations also must implement strong controls for remote
service delivery and supporting technologies. These controls are necessary to address and adhere to clinical
standards (such as provider capabilities, credentialing, and standards of care), promote high-quality care,
minimize the risk of patient harm, and comply with regulatory requirements for privacy and patient data security.
Revenue cycle improvement

More and more, healthcare organizations are turning to third parties and automated solutions to achieve revenue
cycle improvements. However, increased revenue cycle outsourcing and automation can introduce additional risks
if transparency in revenue cycle performance is reduced or if poor manual processes are hardwired into automated
ones. In addition, hospitals that fully outsource their revenue cycle function might not be getting much of a
financial benefit. Organizations cannot adopt a “set it and forget it” mentality. Robust monitoring is crucial for
success with outsourced and automated functions, as it will help to identify gaps and risks in workflow processes.
Monitoring also provides transparency in end-to-end revenue cycle management and allows communication
across the entire revenue cycle. Some areas in which monitoring is especially important include:
Clinical documentation improvement, where outsourced and automated processes might not accurately direct
resources to the greatest opportunities
Utilization management, where ineffective work queue automation might cause patient accounts to fall through
the cracks.
Emergency department (ED) coding, where organizations might not always have visibility into the logic used to
assign ED levels.
Government and politics

Since the beginning of the COVID-19 pandemic, the regulatory environment has moved faster than ever before,
with $175 billion available to healthcare entities under the CARES Act and with fund distribution based on
multiple factors including lost revenues, expenses related to COVID-19, net patient revenues, rural location, and
low-income populations. At the time of publication, debate continued in Washington, D.C., over additional
COVID-19 assistance funds. It is essential for health systems to keep in close contact with federal and state
government representatives to be well positioned for COVID-19 reimbursement. Hospitals should assess the
accuracy of the Relief Fund Payment attestations and maintain substantial supporting documentation to avoid
future need for repayment of these funds.
While the Affordable Care Act (ACA) is considered by many to be established legislation, the U.S. Supreme
Court continues to hear challenges that could eliminate provisions beneficial to health systems. Because the
Trump administration, including the U.S. attorney general, is in agreement with ACA challengers and because the
Supreme Court leans conservative, it is again possible that the ACA will be struck down or significantly changed.
At the same time, the current period of economic uncertainty and high unemployment puts health systems at risk
SGB & CO.
from patients without health coverage or with less coverage due to the loss of employer-funded insurance.
Hospitals should continue to monitor their methodologies for net patient service revenue calculations and reserve
estimates during this time of great upheaval.
Furthermore, searching for additional tax revenues to recover from economic struggles, state and local
governments might continue to challenge not-for-profit health systems’ executive pay, community benefit
provided, and tax-exempt status.
Legal and regulatory compliance

Compliance with federal and state laws and CMS regulations remains a top concern for healthcare governance
and management teams. Healthcare is a highly regulated industry with special rules applicable to transactions
between health systems and physicians to avoid referrals of Medicare or Medicaid patients where financial
relationships exist (Stark Law); filing of fictitious, miscoded, nonmedically necessary, or otherwise inaccurate
claims for Medicare or Medicaid beneficiaries (False Claims Act); and many other compliance matters. Health
systems also have been challenged by elements of Americans With Disabilities Act compliance and quality of
care requirements.
Possible results of noncompliance with the many regulations faced by healthcare organizations include class-
action lawsuits and significant legal, regulatory, and financial consequences. And, even in cases in which the
government doesn’t take action, whistleblowers (often from within an organization) might be financially
rewarded using “qui tam” lawsuits to take action on the government’s behalf to recoup government funds under
the False Claims Act. Other common results of noncompliance include fines, reputational loss, and costly
corporate integrity agreements.
To avoid these risks, it is important that healthcare providers understand the federal government’s focus areas
relative to combating fraud, waste, and abuse, which can be accomplished through regular review of state and
federal regulator websites. For example, the Office of Inspector General’s (OIG) Work Plan is updated monthly
and made publicly available on the OIG website. Current OIG focus areas include inpatient hospital billing, CMS
oversight of nursing facility staffing levels, compliance with CMS transfer policies, billing of critical care service
levels, and use of condition codes. Although lengthy, the OIG Work Plan is organized by the date that each plan
item was announced or revised and provides the reader with a condensed, summarized list of current focus areas.
Conducting regular monitoring and independent audits based on the OIG Work Plan is a vital strategy in
proactively mitigating or detecting regulatory risk.
Health systems also should be proactive and undertake audits of physician transactions, care coordination
functions, billing, and claims coding. In addition to these audit areas, health systems should consider periodic
reviews of the effectiveness of their compliance programs, which help safeguard against regulatory and “qui tam”
legal action through providing means to report and take corrective action internally.
SGB & CO.
RISK ASSESSMENT INTERNAL CONTROL
I. BRAINSTORMING CONFERENCE
Date :_________________ Date discussed with manager: _______________
Instructions: Members of the audit team are required to discuss the susceptibility of the Hospital’s financial
statements to material misstatement due to fraud or error. The discussion should include an open exchange of
ideas (brainstorming). The discussion should also emphasize the importance of exercising professional
skepticism throughout the audit. The discussion may occur prior to, or in conjunction with, other audit
planning procedures, but should take place each year. The manager should determine which matters are to be
communicated to members of the audit team not involved in the discussion.
If the audit is a Single Audit, completion of this procedure should include consideration of both the audit of the
financial statements and the federal awards.
Audit of financial statements Yes No
Single Audit Yes No
Participants:
Name Title
SGB & CO.
1. Describe how the discussion occurred (e.g. face-to-face meeting, conference call).
2. Describe the matters discussed.
Matters that should be discussed include:

a. How and where the financial statements might be materially misstated due to fraud or error.
b. How management could perpetrate and conceal fraudulent financial reporting.
c. How the perpetrators could misappropriate Hospital assets.
d. Known external and internal factors affecting the Hospital that might (1) create incentives/pressures to
commit fraud, (2) provide the opportunity for fraud to take place and (3) reveal attitudes or
rationalization about why fraud is acceptable behavior.
e. Circumstances indicative of earnings management or manipulation of other financial measures which
could lead to fraudulent financial reporting?
f. The nature and risk of management override of controls.
g. How best to respond to these fraud and other risks through the design of audit procedures.
h. The importance of maintaining an appropriate attitude of professional skepticism throughout the audit
when considering the risk of material misstatement due to fraud.
i. Risks of material misstatements associated with related party relationships and transactions.
The discussion should not be influenced by past favorable experience with the integrity of management.
The discussion should abandon neutrality and presume the possibility of dishonesty at various levels of
management.
The discussion should focus on the financial statement areas vulnerable to fraud presuming management,
employees or volunteers were inclined to perpetrate fraud.
3. Did information arise during the brainstorming meeting which may be relevant to identifying risks of material
misstatement due to fraud or error?
Yes (Document on Part IV)
No
Comments:
SGB & CO.
II. INQUIRIES ABOUT THE RISKS OF FRAUD
Instructions: Auditors are required to make inquiries of management and others about the risks of fraud.
Inquiries should be made each year in the planning stage of the audit. This form can be used to document the
auditor’s inquiries of management and other employees. Conducting one-on-one interviews with members of
management and other employees is the most appropriate way of accomplishing the objectives of the inquiry
process. Management interviewed should include, at a minimum, all those who sign the management
representation letter.
If the audit is a Single Audit, completion of this procedure should include consideration of both the audit of the
financial statements and the federal awards. Alternatively, the auditor may wish to complete separate forms.
(A separate form should be used for each person interviewed) A.
Management Personnel Interviewed:
Name Title Date
1. Inquire of the Hospital’s management about whether it is aware of (1) actual or suspected fraud or (2) any
allegations of fraud (e.g., communications from employees or others). Describe.
2. Inquire of the Hospital’s management about its understanding of the risks of fraud within the Hospital,
including any specific risks identified or account balances or transaction classes where fraud is likely to
occur. Describe.
3. Inquire of the Hospital’s management about the programs and controls it has established to mitigate fraud
risks and how it monitors such programs and controls. Describe.
SGB & CO.
4. Inquire of the Hospital’s management about the nature and extent of monitoring of operating locations,
where applicable, and whether there are particular units for which a risk of fraud may be more likely to
exist. Describe.
5. Inquire of the Hospital’s management about whether and how it communicates to employees its views on
business practices and ethical behavior. Describe.
6. Inquire of the Hospital’s management about whether it has reported to the audit committee, or its
equivalent, on how the Hospital’s internal control monitors the risks of material fraud. Describe.
7. Inquire of the Hospital’s management about their compliance with laws and regulations. Describe.
8. Inquire of the Hospital’s management about the existence of any agreements containing confidentiality
clauses. Describe.
9. Inquire as to whether the person being interviewed is aware of any abuse (i.e. misuse of authority,
unneeded overtime, requesting staff run personal errands, expensive procurements, etc.). Describe.
10. Inquire as to whether the person being interviewed is aware of any employees or officials with possible
financial pressures (i.e. gambling, excessive shopping, sudden medical expenses, lifestyle changes, etc.).
11. Did information arise from inquiries of management which should be considered further in identifying
risks of material misstatement due to fraud?
No
Comments:
SGB & CO.
B. Others Interviewed:
Name Title
1. Inquire of others within the Hospital (others can include operating personnel not directly involved in
the financial reporting process, employees with different levels of authority, employees involved
with initiating, recording or processing complex or unusual transactions or in-house legal counsel)
about any actual fraud or suspected fraud. Describe.
2. Inquire as to whether the person being interviewed is aware of any abuse (i.e. misuse of authority,
unneeded overtime, requesting staff run personal errands, expensive procurements, etc.).
Describe.
3. Inquire as to whether the person being interviewed is aware of any employees or officials with
possible financial pressures (i.e. gambling, excessive shopping, sudden medical expenses,
lifestyle changes, etc.).
4. Did information arise from inquiries of others which should be considered further in identifying risks
of material misstatement due to fraud?
No
Comments:
C. Journal Entry Inquiry:

SGB & CO.
Name Title
1. Inquire of individuals involved in the financial reporting process about inappropriate or unusual
activity relating to the processing of journal entries and other adjustments. Describe.
2. Did information arise from inquiries of others which should be considered further in identifying risks
of material misstatement due to fraud?
No
Comments:
D. Audit Committee or Equivalent Personnel Interviewed:
Name Title
1. Where applicable, inquire of the audit committee or its equivalent, or at least its chair, about (1) its
views about the risks of fraud, (2) whether it has knowledge of any actual fraud or suspected
fraud and (3) how it exercises its oversight of the Hospital’s assessment of risks of fraud and the
programs and controls the Hospital has adopted to mitigate those risks. Describe.
2. Did information arise from inquiries of audit committee or equivalent personnel which should be
considered further in identifying risks of material misstatement due to fraud?
SGB & CO.
No
Comments:
E. Internal Audit Personnel Interviewed:
Name Title
1. Where applicable, inquire of internal audit personnel about (1) their views of the risks of fraud, (2)
any procedures they performed to identify or detect fraud during the period under audit, (3)
management’s response to the findings and (4) whether they have knowledge of any actual fraud
or suspected fraud. Describe.
2. Did information arise from inquiries of internal audit personnel which should be considered further
in identifying risks of material misstatement due to fraud?
No
Comments:
SGB & CO.
QUESTION YES NO N/A REMARKS
III. FRAUD RISK ASSESSMENT

Instructions: Complete the following questions to document your
consideration of risk factors that might indicate an increased risk of
material misstatement due to fraud. “Yes” answers do not necessarily
indicate an increased risk, but should be considered when assessing the
risk of material misstatement due to fraud. If fraud risk factors are
present, but other controls exist that compensate for that risk, document
the mitigating factors in the remark’s column.
RISK FACTORS RELATING TO FRAUDULENT FINANCIAL
REPORTING
A. Incentives/Pressures
1. Is there significant pressure on meeting performance targets?
2. Is a significant portion of management’s compensation or
performance assessment dependent on budgetary goals,
program results or other incentives?
3. Do unrealistic performance targets exist?
4. Were there numerous significant budget modifications in

prior periods?
5. Is there a lack of formal budgeting policies and procedures?
6. Is the current management unable to make reasonable
estimates of tax revenues, expenditures or cash
requirements?
7. Has the credit rating for the Hospital’s securities been
downgraded by an independent agency since the prior
period?
8. Do individuals outside of management or the governing
body have substantial influence over the operations of one
or more Hospital units?
9. Has management set unduly aggressive financial targets and
expectations for operating personnel?
10. Is the Hospital subject to new accounting, statutory or
regulatory requirements that could impair its operating
efficiency or financial stability?
11. Is the Hospital experiencing rapid changes, such as rapid
SGB & CO.
changes in technology or rapid changes in citizen’s service

expectations?
12. Is the Hospital experiencing a poor or deteriorating financial
condition (for example, a declining tax base, declining
economy or other anticipated loss of revenue sources)?
13. Is the Hospital having difficulty generating cash flows from
operating activities?
14. Has the Hospital experienced unusually rapid growth or
improved financial results, especially when compared to
other hospitals?
15. Is the Hospital highly vulnerable to changes in interest rates?
16. Is the Hospital unusually dependent on debt financing?
17. Do the Hospital’s financing agreements have debt covenants

that are difficult to maintain?
18. Is the Hospital facing the threat of imminent bankruptcy?
19. Is there significant pressure to obtain additional funding to

maintain services?
20. Is there a high degree of competition for federal or state
awards?
21. Is there declining federal and state program funding on a
national or regional level?
22. Is there a declining number of eligible participants, benefit
amounts and/or enrollments in award programs?
23. Are there complex or frequently changing compliance
requirements?
24. Is there a mix of fixed price and cost reimbursable program
types that create incentives to shift costs?
SGB & CO.
C. Attitudes/Rationalizations
1. Were there numerous significant audit adjustments in prior
periods?
2. Is there an excessive interest by management to meet
performance targets through the use of unusually aggressive
accounting practices?
3. Has management failed to effectively communicate and
support the Hospital’s values or ethics?
4. Has management failed to effectively communicate
inappropriate business practices or ethics?
5. Has management failed to correct known significant
deficiencies or material weaknesses in internal control on a
timely basis?
6. Has management displayed a significant disregard for
regulatory requirements, including, when applicable, federal
and state award compliance requirements?
7. Does management have a poor reputation?
8. Does management have a history of violating laws,
regulations, debt covenants, contractual obligations or federal
and state award compliance requirements?
9. Do non-financial management or personnel excessively
participate in the determination of significant estimates or
selection of accounting principles?
10. Are there frequent disputes on accounting, auditing or
reporting matters between management and the current or
predecessor auditor?
11. Has management made unreasonable demands on the auditor,
such as unreasonable time constraints on completion of the
audit or an excessive emphasis on reducing the audit fee?
12. Has management placed restrictions on the auditor (formal or
informal) that inappropriately limit access to people or
information or inappropriately limit communication with the
governing body or audit committee?
13. Has management failed to respond to specific inquiries or to
volunteer information regarding significant or unusual
transactions?
SGB & CO.
14. Has there been domineering behavior by management,

especially involving attempts to influence the scope of the
auditor’s work?
15. Are there other situations indicating a strained relationship
between management and the current or predecessor auditor?
16. Could the Hospital face adverse consequences on a significant
pending transaction (such as issuance of debt or receipt of a
grant) if poor financial results are reported?
17. Does the Hospital have significant investments in high-risk
financial investments?
18. Are there any known personal difficulties or other influences
in the lives of management that could adversely affect their
integrity, attitude or performance?
19. Do other conditions indicate incentives/pressures,
opportunities or attitudes/rationalizations for management to
engage in fraudulent financial reporting?
Do conditions exist which indicate there may be incentives/pressures, opportunities or attitudes /rationalizations
for management to intentionally misstate the financial statements?
No
Comments:
SGB & CO.
RISK FACTORS RELATING TO MISAPPROPRIATION OF ASSETS

A. Incentives/Pressures
1. Are there any indications management or employees with
access to cash or other assets susceptible to theft have
personal financial obligations that may create pressure to
misappropriate assets?
2. Do any conditions create adverse relationships between the
Hospital and employees with access to cash or other assets
susceptible to theft, such as the following:
a. Known or anticipated future employee layoffs?
b. Recent or anticipated changes to employee
compensation or benefit plans?
c. Promotions, compensation or other rewards
inconsistent with expectations?
B. Opportunities
1. Does the Hospital maintain or process large amounts of
cash?
2. Is the Hospital’s inventory easily susceptible to
misappropriation (such as small size, high value or high
demand)?
3. Does the Hospital have assets easily convertible to cash
(such as bearer bonds, etc.)?
4. Does the Hospital have capital assets easily susceptible to
misappropriation (such as small size, portability,
marketability, lack of ownership identification, etc.)?
5. Is the Hospital susceptible to fraudulent, unauthorized
disbursements (such as vendor or payroll disbursements)
being made in amounts material to the financial
statements?
6. Is there a lack of management oversight over assets
susceptible to misappropriation?
7. Does the Hospital lack job applicant screening procedures
when hiring employees with access to assets susceptible to
misappropriation?
8. Does the Hospital have inadequate record keeping over
assets susceptible to misappropriation?
9. Is there a lack of appropriate segregation of duties which is
not mitigated by other factors (such as management
SGB & CO.
oversight)?
10. Does the Hospital lack an appropriate system for
authorizing and approving transactions (for example, in
purchasing or payroll disbursements)?
11. Are there poor physical safeguards over assets susceptible to
misappropriation (for example, inventory not stored in a
secured area, cash or investments kept in unlocked
drawers, etc.)?
12. Is there a lack of timely and
appropriate documentation for transactions affecting
13. Is there a lack of mandatory vacations for employees in key
control functions?
14. Does management have an inadequate understanding of
information technology which enables IT employees to
perpetrate a misappropriation?
15. Are access controls over automated
records inadequate (including controls over, and
review of, computer system event logs)?
C. Attitudes/Rationalizations
1. Do employees who have access to assets susceptible to
misappropriation show:
a. Disregard for the need for monitoring or reducing
risks related to misappropriation of assets?
b. Disregard for internal control over misappropriation
of assets by overriding existing controls?
c. Disregard for internal control over misappropriation
of assets by failing to correct known internal control
deficiencies?
2. Do employees who have access to assets susceptible to
misappropriation exhibit behavior indicating displeasure or
dissatisfaction with the Hospital or its treatment of its
employees?
3. Have you observed any unusual or unexplained changes in
behavior or lifestyle of employees who have access to
Do conditions exist which indicate there may be incentives/pressures, opportunities or attitudes/rationalizations

relating to misappropriation of assets?
SGB & CO.
No
Comments:
List any additional fraud factors or conditions identified as being present. Additional factors may have been
identified through inquiry of management in the entrance conference. Also, document any compensating
controls.
If improper revenue recognition was not identified as a risk of material misstatement due to fraud, describe the
reasons regarding how that presumption was overcome.
SGB & CO.
IV. RESPONSE TO RISKS
The way the auditor responds to the risks identified during the risk assessment process depends on the nature
and significance of the risks identified and on the Hospital’s programs and controls to address such risks.
The auditor should take into account the various risk assessment procedures performed, including
preliminary analytical procedures, brainstorming session, information obtained about the Hospital and its
environment, including internal controls, fraud risk considerations and any other sources providing
information about relevant risks. For single audits, the auditor should consider the risk noncompliance may
cause the financial statements to contain a material misstatement. Auditors respond to the results of the risk
assessment in three ways: (1) an overall response as to how the audit is conducted, (2) specific responses
involving modification of the nature, timing and extent of procedures to be performed and (3) responses to
further address the fraud risk of management override of controls.
1. Overall response to financial statement risks – Describe overall risks at the financial statement
level that may affect many assertions and the planned response to identified risks. Examples
of overall risks include weaknesses in the control environment, changes in management,
motivation by management to fraudulently misstate the financial statements, etc. Appropriate
responses may include (1) assignment of personnel and supervision, (2) scrutiny of
management’s selection and application of significant accounting principles and (3) including
an element of unpredictability in audit procedures and tests.
2. Specific responses to risks – If any risks are considered significant, the risk and the auditor’s
response to the risk should be included in the risk assessment summary form. For less
significant risks, describe your specific responses, if any, to identified risks, including
modification of the nature, timing and extent of audit procedures.
3. Response to address management override of controls – Because management override of

controls can occur in unpredictable ways, the risk of management override of controls is
always an identified fraud risk and the auditor is required to perform certain specified
procedures to respond to such risk. These procedures relate to (1) examining journal entries
and other adjustments, (2) reviewing accounting estimates for biases and (3) evaluating the
business rationale for significant unusual transactions.
SGB & CO.
See audit program step H on audit program section Trial Balances
See audit program steps W and Y on audit program section Completion of Audit
In-charge
Manager Date
Independent
Reviewer Date
SGB & CO.
RISK ASSESSMENT SUMMARY
Inherent Risk
MAT. MAJ.
BAL. PROG Over TOC Allowable
ACCOUNT BALANCE/
CLASS OF TRANSACTION (y/n) (y/n) High Mod Low All CR (y/n) RMM DR
Statement of Net Position/

Balance Sheet
Cash
Investments
Taxes Receivable
Accounts Receivable
Deferred Outflows of
Resources
Prepaid Expense
Inventories
Capital Assets
Accounts Payable
Deferred Inflows of Resources
Other Liabilities
Compensated Absences
Long Term Debt
Other:
SGB & CO.
Inherent Risk
MAT. MAJ.
BAL. PROG Over TOC Allowable
ACCOUNT BALANCE/
CLASS OF TRANSACTION (y/n) (y/n) High Mod Low All CR (y/n) RMM DR
Statement of Activities/
Statement of Revenues,
Expenditures and
Changes in Fund
Balances
Property Tax
Revenue - Intergovernmental
Revenue – Proprietary
Other Revenue
Expenditures
Expenditures -
Procurement/Credit Cards
Payroll
Transfers
Depreciation
Financial Reporting
(Presentation and Disclosure)
Other:
SGB & CO.
IDENTIFIED RISKS OPINION RESPONSE TO RISK
ACCOUNT BALANCE/ and UNIT(S) and
CLASS OF TRANSACTION RELEVANT APPLICABLE AUDIT APPROACH

ASSERTION(S)
Statement of Net Position/

Balance Sheet
Cash
Investments
Taxes Receivable
Accounts Receivable
Deferred Outflows of Resources
Prepaid Expense
Inventories
Capital Assets
Accounts Payable
Deferred Inflows of Resources
Other Liabilities
Compensated Absences
SGB & CO.
Long Term Debt
Other:
IDENTIFIED RISKS OPINION RESPONSE TO RISK
ACCOUNT BALANCE/ and UNIT(S) and
CLASS OF TRANSACTION RELEVANT APPLICABLE AUDIT APPROACH

ASSERTION(S)
Statement of Activities/
Statement of Revenues,
Expenditures and Changes in
Fund Balances
Property Tax
Revenue - Intergovernmental
Revenue – Proprietary
Other Revenue
Expenditures
Expenditures -
Procurement/Credit Cards
Payroll
Transfers
SGB & CO.
Depreciation
Financial Reporting
(Presentation and
Disclosure)
Other:
SGB & CO.
THE INTERNAL CONTROL EVALUATION

The general assessment comprises the following components that are applicable to the general functioning of
ministries, including those focused on health:
1. Control Environment - An organization's control environment is the foundation for all other components of
internal control. It includes the personal and professional integrity of management and staff, the commitment
to competence, management's philosophy and operating style, the organizational structure, and an
organization's human resource policies and practices. Of all the factors, this is the most qualitative and should
involve open dialogue and discussion.
2. Risk Assessment - Risk assessment is the process of identifying and analyzing risks relevant to the
achievement of the organization's objectives and determining an appropriate response. It includes risk
identification, risk evaluation, assessment of the organization's tolerance for risk, and the development of
responses to identified risks. Risks in the health sector can include those that are operational, compliance
related, financial, environmental, clinical, and reputational.
3. Control Activities - Control activities are the policies and procedures established to address risks and to
achieve the organization's objectives. They include authorization and approval procedures, segregation of
duties, controls over access to resources and records, verifications, reconciliations, reviews of operating
performance, reviews of operations, processes and activities, and supervision. An adequate balance should
exist between detecting problems and establishing preventive actions.
4. Information and Communication - Information and communication are
essential to achieving all internal control objectives. Management's ability to make appropriate decisions is
affected by the quality of information available, therefore, information should be appropriate, timely, current,
accurate, and accessible. Information must be communicated to the appropriate people.
5. Monitoring - Ongoing monitoring of internal control is aimed at ensuring that controls are operating as
intended and that they are modified appropriately in response to changes in conditions. Monitoring should
also assess whether the general objectives set out in the definition of internal control are being achieved. This
is accomplished through ongoing monitoring activities, separate evaluations (including self-assessments), or
a combination of both. Since separate evaluations take place only occasionally, ongoing monitoring can often
identify problems more quickly.
SGB & CO.
THE SCORING SYSTEM

The tool adopts a simple scoring system that applies one of three scores to each internal control element:
1. Inadequate (-1 point)
2. Needs improvement (0 points)
3. Adequate (+1 point).
“Inadequate” generally means that an expected process or procedure is missing or ineffective. “Needs
improvement” means that although the procedure exists, something more is needed; for example, inventory
inspections are conducted too infrequently, or employees are not trained sufficiently to carry out their
responsibilities at a high level. The score (-1, 0, or +1) for each indicator should be entered in the appropriate
column. The scores will subtotal for each element and then be totaled for each of the two major sections. There
will then be a grand total for the entire exercise.
Any “inadequate” or “needs improvement” score requires an explanation in the Comments column, where the
specific gap is identified along with a plan of management action to remedy the deficiency. Additional sheets
should be used if necessary (a sample sheet is presented on page 10). The name of the person responsible for the
remediation should be included along with an estimated date of completion. If at any time the organization
wishes to discuss the best control process through which to address any identified risks, the organization should
contact its head of internal audit and/or the MOF.
For any N/A response, a brief explanation is needed as to why the question does not apply.
SGB & CO.
Rating
Needs
General Assessment
Improveme nt Comments
Inadequate Adequate
(0) (+1) Use additional sheets if necessary
(-1)
1. Control Environment
a. There is a clear set of standards for internal control. Gap(s) & Action:
b. The standards are based on legislation or the constitution.

Responsible Person:
c. There is a "Code of Ethics" that is well publicized and understood by management
and staff.
d. The code of ethics includes requirements of top management and senior staff to Due Date:
disclose gifts, outside interests, personal financial interests, outside positions, and
other potential conflicts.
e. The code of ethics is being followed by staff, and includes disclosure by top
management and senior staff.
f. Management and staff exhibit a supportive attitude toward internal control at all
times throughout the organization, including dedicating qualified full-time staff to
this function; issuing, updating, and communicating necessary policies and
procedures on a regular basis; and recognizing compliance as an element of annual
performance.
g. Management and staff demonstrate a commitment to competence and training is

provided on an ongoing basis to ensure that relevant skills are increased and
maintained.
SGB & CO.
Rating
Needs
General Assessment
Inadequate Adequate
(-1)
h. The organizational structure is supportive of a control environment. For instance, the

structure provides assignment of authority and responsibility, empowerment and
accountability, and appropriate lines of reporting. For each program, there is an
individual clearly responsible for program and budget performance.
I. Human resources policies and practices are supportive. For instance, recruitment,
performance appraisal, and promotion processes are based on merit.
2. Risk Assessment
a. A formal risk management system is in place and operational. Gap(s) &Action:
b. Risks have been identified, assessed, and ranked. Responsible Person:
c. Internal audit reviews these risks and controls as part of the annual audit program.
Due Date:
d. There is a quarterly review of the risks by line management.
e. There is identification of control gaps and implementation of control

actions/treatments in response.
f. There are operational risk committees at appropriate levels of the organization.
3. Control Activities
SGB & CO.
a. In general, control activities occur throughout the organization, at all levels and in all
functions. They include a range of detective and preventive control activities such as
authorization and approval procedures; segregation of duties (authorizing,
processing, recording, reviewing); controls over access to resources and records;
verifications; reconciliations; reviews of operating performance; reviews of
operations, processes, and activities; and supervision (assigning, reviewing and
approving, guidance, and training).
b. Ministry of Health has its own financial policies and procedures implementing those Gap(s) & Actions:
of the Ministry of Finance.
c. Ministry adheres to Ministry of Finance and Ministry of Health financial policies and
procedures.
SGB & CO.
Rating
Needs
General Assessment
Inadequate Adequate
(-1)
d. Effective financial accounting system and controls are in place. Person Responsible:
e. Actual and planned budgets are compared and differences explained.

Due Date:
f. There are reasonable revenue projections in the budget and differences with actual
budget are explained.
g. There is a high degree of stakeholder access to key fiscal information.
h. There are opportunities for stakeholders to review and comment on budgets before
they are finalized.
i. Policy costs are estimated and forecast properly for future years.
j. The budget document includes activity statistics and performance information on the
effectiveness of existing programs.
k. Over/under spending is reported to the ministry’s budget office.
l. Commitments are made consistent with procedures.
m. Existing rules and procedures for making payments are followed.
n. An appropriate information management system (FMIS) is in place and functioning.
o. Access controls limit or detect access to computer resources (data, programs,

equipment, and facilities)
SGB & CO.
p. System software controls limit and monitor access to programs and sensitive files that
control the computer hardware and secure applications.
q. Policies, procedures, and an organizational structure are established to ensure

segregation of duties.
SGB & CO.
Rating
Needs
General Assessment
Inadequate Adequate
(-1)
4. Information & Communication
a. Transactions and events are recorded promptly when they occur.
b. Recording covers the entire process or life cycle of a transaction or event. Gaps & Actions:
c. Information is organized, categorized, and formatted such that reports, schedules, and Responsible Person:
financial statements can be prepared.
Due Date:
d. Information systems produce reports that contain operational, financial and

nonfinancial, and compliance-related information that make it possible to run and
control operations.
e. Reporting is appropriate, timely, current, accurate, and accessible.
f. The internal control system and all transactions and significant events are fully and
clearly documented (e.g., flow charts and narratives) and readily available for
examination. (Extent is appropriate to the organization’s size and complexity.)
g. Management is kept up to date on performance, developments, risks, and the

functioning of internal control and other relevant events and issues.
h. Management maintains formal communication mechanisms that allow for providing

staff the information it needs to implement internal controls and for providing
feedback and direction to staff on internal control weaknesses.
SGB & CO.
i. Management communicates the importance and relevance of effective internal

control, the organization’s risk tolerance, and makes personnel aware of their roles
and responsibilities in effecting and supporting internal control.
j. Management ensures adequate formal and informal means of communication with

external parties, including audit bodies, parliament, civil society, and media to keep
them abreast of internal control matters.
SGB & CO.
Rating
Needs
General Assessment
Inadequate Adequate
(-1)
5. Monitoring
a. Ongoing monitoring of internal control is a normal part of the operation of the

organization and is performed continually on a real-time basis. It includes regular
management and supervisory activities and other actions personnel take in
performing their duties.
b. Ongoing monitoring activities cover each of the internal control components and
involve action against irregular, unethical, uneconomical, inefficient, and ineffective
internal control systems.
c. The monitoring process reacts dynamically to changing conditions through regular Gap(s) & Actions:
updates to policies and procedures communicated to staff.
d. Decisions on the scope and frequency of separate evaluations (such as this self-
Person Responsible:
assessment) are based primarily on the assessment of risks and the effectiveness of
ongoing monitoring procedures.
e. When making this determination, the organization considers the nature and degree of Due Date:
changes, from both internal and external events, and their associated risks; the
competence and experience of the personnel implementing risk responses and related
controls; and the results of ongoing monitoring.
f.. Specific separate evaluations cover the evaluation of the effectiveness of the internal
control system and ensure that internal control achieves the desired results.
g. All deficiencies found during ongoing monitoring or through separate evaluations are
communicated to those positioned to take necessary action.
SGB & CO.
h. Protocols exist to identify what information is needed at a particular level for

effective decision making.
i. Monitoring internal control includes policies and procedures aimed at ensuring that
the findings of audits and other reviews are adequately and promptly resolved.
SGB & CO.
HOSPITAL COMPLIANCE AUDIT REVIEW
Cheong A Medical Center 2028 Evaluation Tool
Compliance Program Infrastructure Overview and Risk Assessment

Objective Done Not Remarks
By YES/NO Applicable
1. Has the Compliance Program

implemented practices in all seven key
elements of an effective Compliance II-B
Program as defined in OIG guidance?
2. Does the Compliance Officer report to
senior level management and have
sufficient resources to complete key II-B No.
program responsibilities? 1
3. Does the Compliance Committee include
members from all related health sciences
operations? Is the charge to the III-B No.
Committee well defined and are 1
members encouraged to provide input
about key campus issues?
4. Has the Compliance Officer re-delegated
authority for conducting Program
activities to another member of the
Compliance organization? If so, how is II-B
the delegation documented?
5. How is staff training documented? Is the
curriculum re-evaluated periodically?
II-B
6. Has the campus implemented a
confidential Hotline for communication
of potential non-compliance? How is the
Compliance Program included in the II-B
resolution of Hotline complaints?
7. Is monitoring being performed in all of
the key Compliance activities including
Laboratory, Home Health, Clinical
Research, Hospital and Professional Fee II-B
Billing?
8. Are coding issues communicated to the
appropriate management level (to ensure
that changes will be made?) Is follow- IV-B
up performed to ensure that coding
improves?
9. Does the compliance program have a
process for identifying the type of
behavior that warrants disciplinary
action? If such incidents have occurred, III-B (I)
was the prescribed program process
followed?
SGB & CO.
10. Has the Compliance Program developed

standard criteria for determining when
refunds to Medicare or other payers are III-B No.
required? 6
Hospital Compliance Program Review

Objective Done YES/NO Not Remarks
By Applicable
11. Is the overall scope of activities subject
to monitoring activities well defined
(e.g., in a manner similar to an audit IV-B
universe)? If so, please describe.
12. Does the hospital/facility compliance
program have an articulated goal with
respect to coverage of the universe over IV-B
time? If so, please describe.
13. Is a risk assessment process employed in
planning monitoring activities? Please
briefly describe (should incorporate
Department of Health [DOH], and other IV-B
available information sources).
14. Is there an annual review plan that is
documented and measurable against the
“universe” of auditable activities?
Please describe the plan and its level of II-B
detail, and any tracking of plan
execution.
15. Does the Compliance Committee
approve the annual plan?
II-B
Monitoring Activities
16. How is coverage within each overall risk area (admissions, quality assurance, coding, charge
master, patient accounting, cost reporting, purchasing, employment/provider credentialing,
physician contracting) determined and coordinated?
17. Who is responsible for performing monitoring reviews? Describe the scope of monitoring
reviews.
18. Are any diagnostic techniques employed (e.g., profiling, denial rates)? Who performs these
analyses? Describe.
19. When charges are examined, are billing samples drawn from all bills or only federal payers?
20. Do the monitoring activities include:

a. Statistical sampling?
b. Non-Statistical sampling? Describe
SGB & CO.
c. Other types of reviews, e.g., controls/processes? Describe.
21. What is the typical sample size and what is the sampling unit (bill, or line item of service)?
22. Describe rationale for extrapolating or not extrapolating errors detected.
23. Does the Compliance Office assure that errors are corrected?
Reporting
24. Are written reports prepared of monitoring reviews conducted?
25. Are conclusions clearly expressed, recommendations documented, and action plans offered by
auditee?
26. Are reports distributed to the Compliance Committee? Describe distribution protocol.
27. Is there any tabulation of cumulative report findings, common deficiencies, refunds triggered etc.,
and are these summaries provided to the Compliance Committee? Describe contents and
distribution.
28. Is a management response required? Please describe protocol for resolution of identified issues.
HOSPITAL BILLINGS AND RECEIVABLE AUDIT REVIEW

Cheong A Medical Center 2028 Evaluation Tool
General Overview and Risk Assessment
1. Please provide the following to the extent that they are available:
a. Mission statement or vision statement
b. Organizational chart
c. Current delegations of authority or responsibility
d. Most recent job descriptions for key management positions
e. Strategic planning documents
f. Chart of financial accounts
g. List of regularly prepared management reports (financial and/or programmatic)
h. List of key departmental contacts for major departmental activities
2. Please describe any significant changes to departmental operations in the last three years. For
example, please list any turnover in key positions; changes to policies, processes, or
procedures; new information systems; new or revised compliance requirements; etc.
SGB & CO.
3. Please describe department management's processes or approaches for evaluating the status of
current operations. If the various approaches include any formal risk assessment process,
please describe the process in detail and corresponding reporting, if any.
4. Do you have any concerns with regard to the current state of departmental activities? If so,
what are they? If not, what departmental operations should be considered for selection as the
focus or scope of the current review in your opinion?
5. Have any departmental operations been the subject of review by any outside party (e.g.,
Office of the President, peer review, independent consultants, regulatory agencies, etc.)? If so,
please provide the results of the review(s).
Financial Objectives
1. Please describe departmental budget processes, including departmental funds, and capital
funds. Please also describe departmental processes and responsibilities for monitoring
budget variances (actual financial results versus financial budgets).
2. What financial reports are prepared regularly and with what frequency? Who prepares the
financial reports, and to whom are they distributed?
3. How are collections and accounts receivable balances summarized and transferred to the
financial system? What system interfaces are involved?
4. Please describe the process for identifying and transferring accounts to the outside
collection agency. How are collection agency accounts monitored?
Compliance Objectives
1. Please explain your processes for promoting and ensuring compliance with various
requirements, e.g., DOH, other health plan contracts and internal policies and procedures
2. Are there any prescribed processes for monitoring the level of compliance with specific
requirements, and reporting internally discovered instances of non-compliance? If so, please
describe the processes.
3. In your opinion, are there any specific policies, procedures, rules, or regulations that are not
consistently observed? If so, please explain the requirement, and estimate the level of
compliance (or non-compliance) and its impact.
Operational Objectives
1. Please describe your core business processes for the following:
a. Admissions and Registration
b. Charge capture systems and processes
c. Charge Master maintenance
d. Diagnostic and Procedural coding
SGB & CO.
e. Cash deposit and co-payment collection

f. Claims compilation, edit and transmission processes
g. Accounts Receivable management
h. Credit Balance Resolution
2. Please describe your management reporting processes regarding the status of operational
activities. Please include both written and verbal reporting channels. For example, include
documented status reports, as well as project status meetings. Also, please indicate which are
used on a recurring basis, and the frequency, and which are used on a more ad hoc basis.
3. Regarding admissions and registration, please answer the following:
a. What data obtained during admissions and registration has an impact on the billing
process?
b. Please describe the system for transferring patient account information to claims. Has
a procedure been implemented which provides feedback to Admissions and
Registration management when patient account information is consistently inaccurate?
Is billing management involved in the Admissions and Registration training process?
4. Regarding charge capture systems and processes:
a. What are the various ways that hospital inpatient charges enter the billing system?
Outpatient charges?
b. Who is responsible to ensure that all charges are identified and input into the system?
c. What tools or reports are provided to responsible personnel to assist them with
consistent charge capture? Is training provided to staff?
5. Regarding diagnostic and procedural coding, please answer the following:
a. What departments are responsible for selecting codes for billed charges? Please
describe the various coding practices.
b. Does management require that staff who perform coding activities be certified? Is
periodic training provided? By who?
c. What systems are used to complete coding? Do those systems have additional billing
compliance functionality (i.e. comparison of diagnosis and procedure codes for
reasonableness)?
6. Regarding Charge Master Maintenance, please answer the following:
a. Who is responsible for maintaining the hospital Charge Master?
b. Describe the request and approval process for implementing changes to the Charge
Master. Who performs a final review of billing codes and prices?
c. What is the process for ensuring that billing codes throughout the Charge Master are
updated annually when the CPT codes are updated?
d. How are medication costs included in the Charge Master? How are variances
between allowable charges between payors identified?
e. Has a periodic quality assurance review of Charge Master information been
implemented? What reports are generated? Who is responsible to review the reports
and implement corrective action?
SGB & CO.
7. Regarding cash deposit and co-payment collection, please answer the following:
a. Please provide a list of the primary locations that collect patient co-payments and
cash deposits.
b. How does staff in those locations know when a patient payment is due? Can services
be provided if a patient is not prepared to make a co-payment or deposit?
c. How does management ensure that cashiering functions comply with BUS 49
standards?
8. Regarding claims preparation, edit and transmission processes, please answer the following:
a. Describe how claims are compiled in the billing system. Please include information
relative to claims cycle time and criteria for distributing responsibility for claim
preparation and editing among the staff?
b. Describe the claim edit criteria and accountability structure. Is the criteria
documented? Have billing compliance regulations been included in edit criteria?
i. Are claims transmission standards fully compliance with HIPAA? Are all
clearinghouses and other transmission strategies compliant with HIPAA
standards?
ii. Are batch or control totals used to ensure that electronic files are complete when
received by other systems?
9. Regarding accounts receivable management, please answer the following:
a. How is the responsibility for accounts receivable management divided among the
billing supervisors and staff?
b. What reports are generated by the billing system to assist the staff with achieving
production goals? How often are they revised?
c. What manual and system resources are available to staff to assist with answering
questions about payor requirements or claim information?
d. Describe the health plan contract management process.
10. Regarding credit balance resolution, please answer the following:
a. Who is primarily responsible for resolving credit balances?
b. What criteria are used to prioritize which credits to work?
c. What industry benchmarks are available to compare the results of local credit balance
management with other institutions?
d. How are refunds processed?
11. Please describe any operational activities that, in your opinion, could be improved.
Specifically, what would be changed, and what would be the resulting benefit. Has the idea
been discussed internally and, if so, what was the result? If not, why?
Information Systems Objectives
1. Please provide the name and version of the information system used for the following. Please
also note whether applications are manual or electronic, and what system they run on.
a. Charge Capture/Abstracting
b. Primary hospital billing and receivables system
SGB & CO.
c. Claims Edit system

d. Patient account management system
e. Other systems, if applicable
2. Who is responsible for systems administration and security? How is physical security
maintained for departmental information resources? How is logical security (access)
provided or restricted? Who decides the level of security? Are there departmental security
or computer use guidelines?
3. Have any department information systems been developed internally? If so, please describe
the development process and the current status of the system(s)?
4. Do any departmental information systems interface with systems owned by other central
administrative departments? If so, please describe.
5. Does the department have a written disaster recover plan for emergencies? If so, is that plan
periodically tested? When was the last test, and what were the results?
6. Please describe the records retention schedules that are followed.
7. Have there been any indications of problems with information, i.e., availability, accuracy,
completeness, timeliness, security, etc. Describe the problem and its resolution, if applicable.
8. Have all the required software licenses been acquired? How are licenses tracked? Are
maintenance agreements current?
9. Do you have any concerns about departmental information systems, or interfaces with other
systems?
10. Are there any plans for changing current information systems or adding new ones in the next
three years?
11. Describe your virus protection strategy.
12. Describe any additional security protections implemented (i.e., firewalls, IP filtering, IP Sec,
VLAN, routing, encryption).
PSA 265 “Communicating Deficiencies in Internal Control with Those Charged with
Governance and Management”
Introduction
Scope of the PSA
1. The Philippine Standards on Auditing (PSA) deals with the auditor’s responsibility to
communicate appropriately to those charged with governance and management deficiencies in
Internal Control that the auditor has identified in the audit of the financial statement. This
PSA does not impose additional responsibilities on the auditor regarding obtaining and
understanding of internal control, designing and performing tests of controls over and above
the requirements of PSA 315 and PSA 330. Moreover, PSA 265 establishes requirements
regarding the auditor’s responsibility to communicate with those charged with governance in
relation to the audit.
2. The auditor may identify deficiencies in Internal Control not only during the risk assessment
processes but also on other stages of audit. This PSA specifies which identified deficiencies
SGB & CO.
the auditor is required to be communicated to those charged with governance and

management. The contents of this PSA does not preclude the auditor from communicating to
those charged with governance and management other internal control matters that the auditor
has identified during the audit.
Objective
3. The auditor is tasked to communicate appropriately to those charged with governance and
management any deficiencies in internal control that the auditor has identified during the
audit and are of sufficient importance to meet their respective attention, based on his
professional judgment.
Requirements of the PSA:

4. The auditor shall determine, on the basis of the audit work performed, has identified one or
more deficiencies in internal control.
5. If the auditor has identified one or more inter al control deficiencies, the auditor shall
determine whether individually or in combination, they constitute significant deficiencies.
6. The auditor shall communicate in writing, significant deficiencies in internal control
identified during the audit to those charged with governance on a timely basis.
7. The auditor shall communicate to management at an appropriate level of responsibility on a
timely basis:
(i) In writing, significant deficiencies that the auditor has communicated or intends to
communicate to those charged with governance, unless it is inappropriate to
communicate directly to management in the circumstances.
(ii) Other deficiencies in internal control that have not been communicated to
management by other parties and are of sufficient importance to meet
management’s attention.
8. The auditor shall include in the written communication of significant deficiencies in Internal
Control:
A. A description of the deficiencies and an explanation of their potential
effects.
B. Sufficient information to enable those charged with governance to
understand the context of the communication. The auditor shall explain that:
(i) The purpose of the audit was for the auditor to express an opinion on
the financial statements.
(ii) The audit included consideration of internal control relevant to the
preparation of financial statements in order to design audit
procedures that are appropriate to the circumstances, but not for
the purpose of expressing an opinion on the effectiveness of
internal control; and
(iii) The matters reported are limited to those deficiencies that the auditor
has identified during the audit and can conclude that those are of
sufficient importance to merit being reported to those charged
with governance.
SGB & CO.
Limitations of Internal Control

Inherent limitations of Internal Control include the following:
1. Management overriding internal control.
2. Circumvention of Internal Control through the collusion among employees.
3. The cost benefit relationship is a primary criterion in designing internal control, that is the
cost of a control should not exceed its expected benefits. (Also known as the concept of
reasonable assurance).
4. Most internal controls tend to be directed at routine transactions rather than non-routine
transactions.
5. Potential for human error due to carelessness, distraction, mistakes of judgments and
misunderstanding of instruction. It includes error in the design or use of automated
controls.
6. The possibility that procedures may become inadequate due to changes in conditions and
compliance with procedures may deteriorate.
7. Segregation of duties may be difficult to achieve in a smaller entity.

Specialized Industry Hospital

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Specialized Industry Hospital

Uploaded by

Copyright:

Available Formats

SGB & CO.

Account for Accuracy & Reliability

SGB & CO.

AUDITOR’S CONSIDERATION OF INTERNAL CONTROL:

INDUSTRY BASIC OPERATIONAL MODEL:

Figure 1. WHO health systems framework

Philippine Health Care System

Figure 2. Philippine Health Care Delivery System

2) Health and health care financing

• System-wide deployment and distribution (equitable)

- Market Oriented Brain Drain phenomenon:

- Largest categories of HRH: midwives and nurses

4) Access to medicine and technology

- Scenarios and challenges

5) Health information and research

6) Health service delivery

COMPONENTS OF INTERNAL CONTROL

Components of Internal Control Structure

Components Description of component Component elements

Control environment Actions, policies and ■ Integrity and ethical values

■ Human resource polices

Management’s risk Management’s identification Management’s assertions:

statements in accordance disclosure, measurement,

Accounting information Methods used to identify, Transaction-related audit

Control activities (control Policies and procedures that ■ Adequate segregation of

■ Adequate documents and

■ Physical control over

Monitoring Management’s ongoing and Not applicable

CONDITIONS THAT INCREASED RISK IN

Third-party vendor management

Joint venture management and oversight

Revenue cycle improvement

Government and politics

Legal and regulatory compliance

RISK ASSESSMENT INTERNAL CONTROL

Date :_________________ Date discussed with manager: _______________

Audit of financial statements Yes No

Single Audit Yes No

2. Describe the matters discussed.

Matters that should be discussed include:

II. INQUIRIES ABOUT THE RISKS OF FRAUD

Management Personnel Interviewed:

Name Title Date

C. Journal Entry Inquiry:

D. Audit Committee or Equivalent Personnel Interviewed:

Yes (Document on Part IV)

E. Internal Audit Personnel Interviewed:

QUESTION YES NO N/A REMARKS

III. FRAUD RISK ASSESSMENT

4. Were there numerous significant budget modifications in

changes in technology or rapid changes in citizen’s service

16. Is the Hospital unusually dependent on debt financing?

17. Do the Hospital’s financing agreements have debt covenants

19. Is there significant pressure to obtain additional funding to

QUESTION YES NO N/A REMARKS

14. Has there been domineering behavior by management,

QUESTION YES NO N/A REMARKS

RISK FACTORS RELATING TO MISAPPROPRIATION OF ASSETS

Do conditions exist which indicate there may be incentives/pressures, opportunities or attitudes/rationalizations

IV. RESPONSE TO RISKS

3. Response to address management override of controls – Because management override of

See audit program step H on audit program section Trial Balances

RISK ASSESSMENT SUMMARY

Date :___ Date discussed with manager: _