The Audit Connection Collaborating for Enterprise Excellence
Summer 2012, Issue No. 2
Inside this issue: Fiscal Year 2013 Audit Plan 1 Maintaining Continuity During Times of Change
3
Cash Handling Best Practices
4
Conflicts of Interest and New NIH Rules
5
Spreadsheet Risk
7
New IIA CSRA Chapter Expands Networking Opportunities
9
Meet Our New Auditor
10
Internal Audit Staff Michael Foxman…….…Interim CAO Crystal Corey…….....Audit Manager Neha Bhatt…………..Senior Auditor Vernon Walters…..…Senior Auditor Will Barnes……………...…...Auditor Sheryl Brown………....…I.T. Auditor Lisa Kedigh………...Admin. Asst. III The Office of Internal Audit's purpose is to support the mission and vision of the Georgia Health Sciences Enterprise by: providing independent and objective management evaluations; identifying actual and potential problems; providing corrective guidance; developing management recommendations; and providing consultation services in accordance with professional internal auditing standards and compliance review guidelines.
We are here to help you!
From the Interim Chief Audit Officer Michael J. Foxman The Office of Internal Audit recently completed its rolling audit plan for fiscal year 2013. This information should be useful to departments/offices scheduled for an engagement. The following is a list of scheduled assurance (traditional audit) and consulting (advisory services) engagements and a brief description. This list is subject to change. Near-Term (starts July 2012 – December 2012) Accounts Receivable (assurance - University) To review internal controls and determine the reasonableness, accuracy, completeness, and validity of stated balances Enterprise Contract Management (assurance - University and Clinical*) To identify if contracting process is properly managed Enterprise Information Security (assurance - University and Clinical) To ensure that the enterprise is securing and protecting its data in line with best practices, such as encryption Institutional Review Board (assurance – University) To review approved protocols, determine compliance with state and federal regulations and institutional policy, and to gather information for continuous improvement on ways to improve the IRB process Policy and Procedures Alignment (consulting – University and Clinical) To determine any duplication and/or gaps in policies across the enterprise
* Clinical as defined as Georgia Health Sciences Medical Center and/or Georgia Health Sciences Medical Associates
706-721-2661 http://www.georgiahealth.edu/audits/
Ask the Auditor! We invite you to send your questions to internal_audit@georgiahealth.edu, and we may feature it in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094
Page 2
The Audit Connection
Inside this issue: Fiscal Year 2013 Audit Plan 1 Maintaining Continuity During Times of Change
3
Cash Handling Best Practices
4
Conflicts of Interest and New NIH Rules
5
Spreadsheet Risk
7
New IIA CSRA Chapter Expands Networking Opportunities
9
Meet Our New Auditor
10
Medium-Term (starts January 2013 – June 2013) ASU Migration to PeopleSoft (consulting – University) To determine whether the migration process includes proper testing procedures prior to implementation, determination of required system specifications and design of effective payroll controls Cash Controls at PPG (assurance – clinical) To review timely posting of cash receipts, especially related to copayments Charge Capture Reconciliation (assurance – clinical) To provide recommendations for process improvement throughout the revenue cycle including validation that professional and facility charges are accurately captured for all services provided Enterprise Management of Cash Reserves (assurance – University and Clinical) To identify any material reserves that are not properly accounted for, managed and disclosed Enterprise Surprise Cash Counts (assurance – University and Clinical) To provide assurance and recommendations that stated cash balances are accurate and controls are maintained through test of surprise cash counts Financial Aid (assurance – University) To review processes/procedures for determining financial aid eligibility and verification, awarding of financial aid, disbursing financial aid, complying with pertinent regulations, and providing controls over cash management/ reconciliation/drawdowns Grants and Contracts (assurance – University) To review pre-award and post-award procedures and review compliance with OMB Circular A-21 requirements Patient Appointment Scheduling and Resources (assurance – Clinical) To measure the effectiveness and efficiency of the process used for scheduling timely appointments
* Clinical as defined as Georgia Health Sciences Medical Center and/or Georgia Health Sciences Medical Associates
Ask the Auditor! We invite you to send your questions to internal_audit@georgiahealth.edu, and we may feature it in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094
Page 3
The Audit Connection
Inside this issue: Fiscal Year 2013 Audit Plan 1 Maintaining Continuity During Times of Change
3
Cash Handling Best Practices
4
Conflicts of Interest and New NIH Rules
5
Spreadsheet Risk
7
New IIA CSRA Chapter Expands Networking Opportunities
9
Meet Our New Auditor
10
Maintaining Continuity During Times of Change Michael J. Foxman, Interim CAO We live in a fast-paced, dynamic environment where change is one of the few constants. What does this mean to your department and what may be the potential impact should an employee move on? When a long-term employee leaves an organization, they often take vital knowledge with them. This may include not only projects they have worked on, but institutional knowledge, as well. It is, therefore, important to be prepared to manage turnover, both planned and unplanned. Here are some suggested staffing change management best practices: Maintain easily accessible, retrievable and understandable recordkeeping systems. Ensure that files are maintained and backed-up on a network drive.
“If a personnel change in a business-critical role is anticipated in your department, the Office of Internal Audit is here to help.”
Document day-to-day procedures in writing and update the procedures as necessary. Do not wait until someone announces their planned departure for them to document everything they do in their last few days of employment. Develop succession plans to ensure management positions and/or other critical roles can be filled. Regularly review your plans for covering and replacing “leavers” and training and inducting “new starters.” Examine where the benefits of cross-training may be practical. If an employee were to abruptly quit, the interruption will be minimized since other staff members can slide into the vacant position if they are already familiar with business processes outside of their primary jobs. Assess any foreseeable losses of key staff (such as retirements) over the next one to three year period and determine the implications (budgets, skill gaps). If a personnel change in a business-critical role is anticipated in your department, the Office of Internal Audit is here to help. We can work with you to identify key processes, look for unaddressed risks and ensure that you have adequate written policies and procedures in order to weather the change. Please contact our office to see if we may be able to assist.
Ask the Auditor! We invite you to send your questions to internal_audit@georgiahealth.edu, and we may feature it in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094
Page 4
The Audit Connection
Inside this issue: Fiscal Year 2013 Audit Plan 1 Maintaining Continuity During Times of Change
3
Cash Handling Best Practices
4
Conflicts of Interest and New NIH Rules
5
Spreadsheet Risk
7
New IIA CSRA Chapter Expands Networking Opportunities
9
Meet Our New Auditor
10
Cash Handling Best Practices Crystal Corey, Audit Manager Across the GHS Enterprise, the collection of cash occurs in many units and forms (paper currency, coins, checks, credit cards transactions, electronic funds transfer etc.). Whether it is the Parking Office collecting for a parking ticket, the Business Office accepting student tuition payments, or the Wellness Center collecting membership dues, all units have a responsibility to ensure that funds are properly accounted for and safeguarded. Cash, the most liquid of assets, is easily susceptible to loss and/or theft if not properly controlled. To avoid this, strong internal controls are necessary. Here are some best practice guidelines for cash handling: Establish an adequate segregation of duties or compensating controls within internal cash handling processes. Cash processes should be divided so that one individual does not have complete control over receipting, depositing, and reconciling.
“Cash processes should be divided so that one individual does not have complete control over receipting, depositing, and reconciling.�
Develop internal procedures and/or policies for handling cash. Employees should be familiar with institution and unit specific policies and procedures. Ensure an adequate system of receipting exists, i.e. a pre-numbered receipt book, payment software, etc. Reconcile receipts to collections on a routine basis and investigate discrepancies. The Office of Internal Audit should be contacted if cash theft or shortages are discovered. Supervisors should routinely review and approve reconciliations, voided and/or missing receipts, voided transactions, and financial reports. Deposit funds timely. Adequately safeguard the location of and access to cash until deposited. Protection can be provided through the use of safes, vaults, locked cash drawers, etc. Having these controls in place will promote a strong system of internal control and help ensure accurate accounting for institutional records.
Ask the Auditor! We invite you to send your questions to internal_audit@georgiahealth.edu, and we may feature it in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094
Page 5
The Audit Connection
Inside this issue: Fiscal Year 2013 Audit Plan 1 Maintaining Continuity During Times of Change
3
Cash Handling Best Practices
4
Conflicts of Interest and New NIH Rules
5
Spreadsheet Risk
7
New IIA CSRA Chapter Expands Networking Opportunities
9
Meet Our New Auditor
10
Conflicts of Interest Neha Bhatt, Senior Auditor Managing Conflicts of Interest Effective management of Conflicts of Interest (COI) is an on-going concern and presents substantial risk for academic healthcare institutions. COI management is important to ensure the Enterprise is: complying with state and federal regulations; ensuring that potential conflicts are disclosed; and managing, reducing, and/or eliminating COI and reporting them appropriately, so there is reasonable expectation that employees and research are unbiased and that public trust is preserved. COI Definitions, Types, and Employee Responsibilities
“All employees are required to disclose any financial or other COI of his/her own or family member.”
A Conflict of Interest (COI) is any relationship that is, or appears to be, not in the best interest of the organization. A COI would prejudice an individual's ability to perform his or her duties and responsibilities objectively. A COI includes apparent or actual bias, created by an individual’s personal relationships, or by an individual’s or family member’s financial interest or other interest in a company that does business with, competes or may compete with the Enterprise. This would include receipt of gifts and gratuities. There are two types of COI, Individual and Institutional. An Individual COI is any situation in which it reasonably appears that a financial interest or other personal interest could compromise the integrity of work performed. All employees are required to disclose any financial or other COI of his/ her own or family member. An Institutional COI describes a situation in which the financial interests of an institution or an institutional official, acting within his or her authority on behalf of the institution, exerts undue influence on decisions involving the institution’s primary interests. An example of a potential COI: Georgia Health Sciences University (GHSU) transfers technology to a faculty member’s small, private start-up company, retaining an equity position in the company where stock is not yet public. The faculty member may have an individual COI, and GSHU may have an institutional COI. Both should be disclosed and managed or eliminated.
Ask the Auditor! We invite you to send your questions to internal_audit@georgiahealth.edu, and we may feature it in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094
Page 6
The Audit Connection
Inside this issue:
COI Violations
Fiscal Year 2013 Audit Plan 1 Maintaining Continuity During Times of Change
3
COI violations may be punishable by fines, imprisonment, and suspension of The National Institutes of Health (NIH) funding.
Cash Handling Best Practices
4
New NIH Requirements beginning August 24, 2012
Conflicts of Interest and New NIH Rules
5
Spreadsheet Risk
7
New IIA CSRA Chapter Expands Networking Opportunities
9
Meet Our New Auditor
10
The NIH is an agency of the United States Department of Health and Human Services and is the primary agency of the United States government responsible for biomedical and health-related research. In August 2011, The NIH published a final rule on financial conflicts of interest (FCOI) for research organizations receiving public funding. These new regulations amend the 1995 rules. The major changes to the 1995 regulations include: Lower financial disclosure thresholds: Significant Financial Interest (SFI) threshold will be $5k instead of $10k FCOI training requirements: Each Investigator must complete FCOI training every four years, and under other circumstances.
“Please contact the Compliance and Enterprise Risk Management Office for any potential COIrelated questions.”
Public accessibility requirements: Institutions must maintain an up-to-date, written, policy on FCOI and make it available via a publicly accessible website; also additional disclosure requirements, including public access to disclosed SFI’s. Increased transparency for travel reimbursements: Travel that is reimbursed or sponsored by certain private entities must be disclosed. Organizations must be in compliance with these new NIH requirements by August 24, 2012. For complete information on the NIH regulations: http://grants.nih.gov/grants/policy/coi/ COI Information and Questions For additional information regarding COI and your specific disclosure requirements, please refer to your organization’s COI policies, available on the GHS website. Please contact the Compliance and Enterprise Risk Management Office for any potential COI-related questions: Website: http://www.georgiahealth.edu/compliance/ Phone: 706-721-0900 Email: compliance@georgiahealth.edu
Ask the Auditor! We invite you to send your questions to internal_audit@georgiahealth.edu, and we may feature it in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094
Page 7
The Audit Connection
Inside this issue: Fiscal Year 2013 Audit Plan 1 Maintaining Continuity During Times of Change
3
Cash Handling Best Practices
4
Conflicts of Interest and New NIH Rules
5
Spreadsheet Risk
7
New IIA CSRA Chapter Expands Networking Opportunities
9
Meet Our New Auditor
10
Spreadsheet Risk Sheryl Brown, I.T. Auditor Spreadsheets are a key asset and integral part of the information and decision making framework for GHS. They are useful and relatively inexpensive tools that can be employed for creating or updating reports for senior management, tracking quality measures, managing budgets, tracking equipment inventory, compiling and reporting financial data. Generally, spreadsheets are created and maintained within individual operating units of the enterprise without intensive IT support. Did you know that a spreadsheet falls into the category of User Developed Applications? Like any application that supports a major regulatory or financial aspect of the enterprise, the use of spreadsheets poses risks to the organization, and should adhere to controls over change, backup and restoration, security, and data integrity. Risks posed by spreadsheet use range from manual errors and lack of quality control over the results to spreadsheet fraud. Some relevant types of spreadsheet fraud include:
“Like any application that supports a major regulatory or financial aspect of the enterprise, the use of spreadsheets poses risks to the organization, and should adhere to controls over change, backup and restoration, security, and data integrity.”
Presentation fraud: The spreadsheet displays and prints different numbers than those calculated through hiding rows or columns, conditional formatting to change or hide data depending upon its value, or setting the font color the same as the background, making a cell’s contents “invisible.” Data Fraud: Data for an otherwise correct spreadsheet is replaced by false values. Burial Fraud: A fraudulent change is made to a key transaction in a list of thousands of transactions and the user then sorts the list using standard spreadsheet functionality, making the change almost impossible to locate manually. Function Fraud: This involves the creation of functionality beyond standard cell based formulas through manipulation of macros or user defined functions. Here are some best practices for managing “significant spreadsheets”: Maintain an inventory of all the significant spreadsheets used in a department. A spreadsheet should be considered significant if: the output results in a journal entry to a financial statement, management decisions are based on the spreadsheet presentation, or incentive compensation is affected. Identify the spreadsheet name, the purpose of the spreadsheet, where it resides, the version of the spreadsheet tool (i.e., Excel 2010 or Excel 2007), the individuals who have access to the spreadsheet, especially those who edit it.
Ask the Auditor! We invite you to send your questions to internal_audit@georgiahealth.edu, and we may feature it in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094
Page 8
The Audit Connection
Inside this issue: Fiscal Year 2013 Audit Plan 1
Develop formal documentation for the spreadsheet to include: the author, the source of the data, input cells, output cells, formula cells, a summary of the analytical and calculation methodology, spreadsheet use procedure including the checks and balances used for verification of the accuracy of results, and a log of changes to the formulas and versions.
Maintaining Continuity During Times of Change
3
Cash Handling Best Practices
4
Conflicts of Interest and New NIH Rules
5
Provide formal training in spreadsheet design and methodologies for individuals responsible for managing and maintaining spreadsheets.
Spreadsheet Risk
7
Require appropriate input and output controls such as completeness checks, validity edits, and balancing routines for significant spreadsheets.
New IIA CSRA Chapter Expands Networking Opportunities
9
Meet Our New Auditor
10
Save significant spreadsheets to a location that provides restricted access and regular backups. Convert spreadsheets from previous reporting periods to a read-only format and archive them for later retrieval. Review the mechanics of the spreadsheet each reporting period in sufficient detail to detect inadvertent changes. Test overall mechanics of the spreadsheet before it is used the first time, and retest at least once annually.
“Provide formal training in spreadsheet design and methodologies for individuals responsible for managing and maintaining spreadsheets.�
Lock formula cells to prevent inadvertent changes. While spreadsheets can result in great productivity for the enterprise, recognize that they are indeed software applications and should meet criteria such as confidentiality, reliability, integrity, and availability that we expect and require of other critical systems that support our business.
Ask the Auditor! We invite you to send your questions to internal_audit@georgiahealth.edu, and we may feature it in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094
Page 9
The Audit Connection
Inside this issue: Fiscal Year 2013 Audit Plan 1
Newly Formed IIA CSRA Chapter Expands Professional Networking Opportunities for ASU Students and Faculty
Maintaining Continuity During Times of Change
3
Richard Archer, President, IIA CSRA Chapter Kathleen Boyd, Internal Auditor, Office of the President, ASU
Cash Handling Best Practices
4
Conflicts of Interest and New NIH Rules
5
Spreadsheet Risk
7
New IIA CSRA Chapter Expands Networking Opportunities
9
Meet Our New Auditor
10
“CSRA Chapter members hold a variety of managerial and professional roles, work in a wide range of industries, and have broad business expertise beyond auditing.”
On May 11th, the newly organized CSRA Chapter of the Institute of Internal Auditors (IIA) held its first CPE Conference on the ASU campus at the Hull College Business, which co-sponsored the conference. A total of 57 people attended the conference from throughout the CSRA and from as far away as Savannah and Kennesaw. ASU was well represented with 15 students and two Hull faculty members who spoke at the conference. In her presentation “Does Ethical Business Behavior Pay?” Dr. Catherine Slade discussed the impact of a strong ethical culture on the effectiveness of an organization’s corporate governance environment. Considering the continuing discoveries of ethical lapses, excessive risk taking, and period frauds in the time leading up to the current recession, Dr. Slade’s topic was particularly relevant to internal auditors’ concerns. In the afDr. Catherine Slade provides ternoon session “Internal Controls in Non-profit Service insights on the importance of Organizations – Problematic or Pragmatic?” Dr. Pamela strong ethics cultures. Jackson, assisted by graduate assistant Vivian Barrientos, provided interesting alternatives from their research for implementing cost effective controls in non-profit organizations. This is very important for charitable and community service organizations, which frequently face funding and staffing constraints limiting their ability to purchase sophisticated IT systems Grad student Vivian Barrientos presents and software or to hire enough staff to pro- the results of her research on alternative approaches to implementing effective vide complete segregation of duties. Dr. Rich- internal controls in non-profits. ard Clune, Director of the Center for Internal Audit at Kennesaw State University, and Craig Tarkenton, Manager of the Professional Services Group at EDTS (a CSRA-based Inc. 5000 company), were the other speakers at the conference. Because IIA CSRA Chapter members hold a variety of managerial and professional roles, work in a wide range of industries, and have broad business expertise beyond auditing, ASU students have access to expanded opportunities and resources as they consider career options. As a result of the positive working
Ask the Auditor! We invite you to send your questions to internal_audit@georgiahealth.edu, and we may feature it in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094
Page 10
The Audit Connection
Inside this issue: Fiscal Year 2013 Audit Plan 1 Maintaining Continuity During Times of Change
3
Cash Handling Best Practices
4
Conflicts of Interest and New NIH Rules
5
Spreadsheet Risk
7
New IIA CSRA Chapter Expands Networking Opportunities
9
Meet our New Auditor
10
relationship established with the faculty and students of the Hull College of Business in connection with the May conference, the IIA CSRA chapter will expand its interaction with the ASU community through participation in Career Day events, job fairs, invited speaker programs, mentoring, and other activities that will provide opportunities to increase awareness of internal auditors and their roles in supporting ethical and effective enterprises. In addition to participation in ASU events, the IIA CSRA chapter will continue to make available free or substantially reduced fee registration to future meetings and CPE events for ASU students in order to provide students with a better understanding of internal auditing related fields as viable career options. For information about membership in the IIA or IIA CSRA Chapter activities, please contact Richard Archer at richard.archer@cg-managementsolutions.com
Meet Our New Auditor A new Senior Auditor, Vernon (Danny) Walters, will be joining our team on July 2, 2012. His prior experience includes working at Savannah River Nuclear Solutions, LLC, as Principal Internal Auditor, and most recently as Lead Investigator in the Employee Concerns Program. He is both a Certified Internal Auditor (CIA) and Certified Information Systems Auditor (CISA). He holds a BBA in Accounting from Augusta State University and an MBA from Auburn University. We look forward to welcoming him to our team!
Ask the Auditor! We invite you to send your questions to internal_audit@georgiahealth.edu, and we may feature it in future issues. 1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094