Note: I hope this is like the ACL forum where there are more people reading it, but not posting questions/answers. While I am enjoying my trip down memory lane – it is a lot of work and it would be a shame if I was the only one reading the posts. My aim was to encourage discussion and sharing – this is not happening and lessens the value of the blog. So post a comment, describe your experience, etc.
My early introduction into audit included the concept that audit was an early warning for management (this was before “independent assurance”). It had the notion of identifying things that were going wrong and making useful recommendations (this was also before the idea of “risk”). However, my belief was always that audit was there to help; and that the help could and should be offered to all levels of management. Luckily, I did not see these as incompatible ideals; and to a certain extent so did my managers.
I remember often having discussions over who was audit’s “client”. We reported to the Board – and they were the main recipients of our reports. So they were a client. Senior management also received the reports and responded to the recommendations – so they were a client. But local management was the group being assessed and had to implement the recommendations – so this made them a client. The issue was, the three groups had very different motivations and needs. A high-level report was of little value to the local manager who need to fully understand the “cause” associated with the finding in order to be able to adequately address the issue; whereas senior management and the Board were more concerned with the impact. Hence the ongoing debate of “who is our client”.
For a number of years, we actually produced three levels of reports. The local manager detailed report with criteria, condition, cause, impact and recommendations; the management report which focused on the “what does it all mean” (impact and recommendation; and the Board report which presented an overall assessment. In the end we were spending as much time writing the report(s) as performing the actual audit.
Your thoughts/experience on who is your client and how do you address the needs of your audience?
Auditors are often asked to examine fairly sensitive areas. This can also mean that you have access to personal information. Depending on your definition, this could be executive compensation, but in this case (for me) it was health claims.
The company had changed health care providers and was not seeing the expected reductions in costs. At the same time, senior management was concerned about health care fraud, addiction, and other risks around prescription medication.
For the last few years, already having negotiated access to the main systems (finance, HR, operations, T&E, etc.), I did not have to worry about getting access to new data sets. I had almost forgotten how onerous it can be. Getting the health claims data was a reality slap in the face. The typical reactions – you do have the authority to access personal information; you don’t need the data to do the audit; you don’t have proper security to protect the data; etc – all had to be addressed before I was able to get and start analyzing the data. Fortunately, I started the process early and had other things to do while waiting for the data.
Management had concerns about the controls in place within the healthcare provider. They wanted to ensure that employees were getting the benefits to which they were entitled, but also that abuse was kept to a minimum. Some of the internal risks that we wanted to assess included: people going from doctor to doctor (doctor shopping) and getting multiple prescriptions; incorrect prescriptions (e.g. birth control pills claimed by males); over medication; use of restricted medication (e.g. operating heavy equipment while on certain meds). External risks, such a provider fraud, included: upcoding (charging for more than required); double-billing; billing for services not rendered; provision of unnecessary procedures; over-charging for procedures.
ACL Commands: FILTERS, STATISTICS, DUPLICATES, CLASSIFY, RELATE, and SCRIPTING
Lessons-Learned: Clearly defining and explaining the purpose of the audit is always critical – but it is even more so when you are dealing with personal information. Not only did the manager responsible for the health claim program want to know why we were performing the audit, why we need personal information, and what we were going to do with the information – during and after the audit – but so did the union and the employees themselves. By being open and transparent with our objectives, the risks and criteria and how were would protect, use and dispose of the data, we were able to address legitimate concerns of everyone involved.
Auditors are often asked to assess the risk and controls in areas where they have limited experience or even expertise – health claims was on such case. The IIA standards require the Chief Audit Executive to ensure that there is sufficient skills and knowledge on the team in order to properly conduct the audit. We were able to bring in a doctor to assist us with determining both the internal and external risks and the criteria. The additional credibility helped our cause when we explained the finding – particularly the impact. For example, the list of restricted medications (not allowed to operate heavy equipment while taking these meds) was out of data and did not include newer medications); and the addiction and reselling of medications was an area that having medical expertise was an immense benefit.
Finally, and sadly, the controls in information systems are often not adequate to address the risks and are not kept up to date as new risks emerge. I have found this to be true in almost every audit I have undertaken. If management is relying on an automated control – it is not working the way they expect or not at all. Auditors must determine not only the risks, but also the controls – automated and manual – that should be addressing these risks. The control should be a mix of preventive, detective and corrective; and should be assessed for their continued requirement, adequacy, and effectiveness.
Who was our client? We certainly were able to provide valuable recommendations to the health claims manager – and even provided them with ACL scripts they could run to perform ongoing monitoring. We also provide assurance to senior management and the Board that medical services and employee health and wellbeing were being properly addressed by all concerned. Finally, we also helped the individual employees: we ensured that health policies and procedures were updated and consistent with the newer medications and put in place a process to kept them updated on an ongoing basis; we identified fraudulent healthcare practioners who were not providing employees with proper care; and identified practices that were detrimental to personal health and provided educational materials.