1. Changes in the International Standards for the Professional Practice of Internal Auditing & Implications for Healthcare Organizations AHIA Northwest Regional Seminar May 7, 2010 Exaltant TM Grant Baumgartner Chief Consulting Officer Phone: 206-999-3663 grant.baumgartner@exaltant.com Protiviti TM Keith Kawashima Managing Director Phone: 408-808-3222 keith.kawashima@protiviti.com

2. 1 Summary of Changes Effective January 1, 2009, the Institute of Internal Auditors (IIA) made changes to the International Standards for the Professional Practice of Internal Auditing (Standards):  Changed from “should” to “must” throughout most of the Standards  Added six new Standards  Added new verbiage to existing Standards  Interpretations added that were previously part of the Practice Advisories

3. 2 Summary of Changes Areas Affected: –IT Governance –Fraud Risk Management –Communication with the Board –Ethics Programs –Technology Based Audit and Other Data Analysis Techniques –Limitation and Adequacy of Resources –Records Retention –Quality Assurance Reviews –Modifications to the IA Charter –Prohibition on Managing Risk –Conducted in Conformance with The Standards

4. 3 Actions Required by Internal Audit Leadership Discuss changes with Management and Audit Committees Develop gap analysis Disclose incremental required actions to be taken

5. 4 IT Governance  Assess IT governance and determine appropriate reporting  Potentially increase IT auditing to adequately report on IT Governance  Perform enhanced IT risk assessment  Use IT Subject Matter Experts (SMEs) or outside resources as needed and re-evaluate capability of existing resources  Consider adopting the ITGI Five Elements of IT Governance to review the IT organization’s governance framework 2110.A2 – The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives. NEW Standard

6. 5 IT Governance – Implementation Guidance Consider the following factors: –Longevity and relative maturity of existing IT governance program –Adopted governance or delivery frameworks (ITGI, Val IT, ITIL, ISO, etc.) –IT, Business and Board stakeholder input about IT investments and projects The ITGI Five Elements of IT Governance is useful from a scoping perspective:

7. Medical devices Medical Devices Medical Devices ER Rx Image.OR Healthcare IT Environment 6 Core Systems: GL, Materials, HR & Payroll, A/P, Patient Accounts, Clinical, EHR PDA WLAN www

8. Healthcare IT Environment Must support the organization’s strategies and objectives –Accountable Care Organizations –Medical Homes –Co-ops –Insurance Exchanges –Capitation –Claims –Other Contracting and Reporting 7

9. 8 Discussion Questions IT Governance  Has your organization performed an IT Governance assessment?  How did you approach this effort?  If not, how do you intend to comply with the Standard?

10. 9  Perform a fraud risk assessment and evaluate fraud risk management program by:  Assisting management in performing one  Leveraging an existing assessment performed as part of SOX or  Performing an independent assessment  Utilize outside resources as needed  Utilize data analysis and continuous auditing and monitoring to enhance detection  Determine style and scope of reporting  Coordinate with legal counsel as appropriate Fraud Risk Management 2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk. NEW Standard

11. Healthcare Fraud Risk Management Coding Charging Procurement Expense reporting Time keeping Cash locations Credit card locations Self-funded insurance Electronic transactions Financial, utilization and clinic outcomes reporting 10

12. 11 Discussion Questions Fraud Risk Management  Has your IA function conducted a Fraud Risk Assessment? - Examples  Discrete Fraud Risk Assessment project  Identification of fraud-related risks/controls during audit projects  Other - Who was involved in the effort? -Lessons learned  What have been your challenges in conducting fraud risk assessments?  How do you support fraud prevention and detection activities with training and awareness programs for Management and employees?

13. 12 Discussion Questions Fraud Risk Management Whose responsibility is it to monitor fraud risk within your operations on a daily, on-going basis (i.e., “continuous monitoring”)? How are “computer-assisted audit techniques” or electronic data analysis used to help identify potential fraud risk within financial or operational processes? What is the role of your Board of Directors in fraud risk governance?

14. 13 Increasing the Chief Audit Executive’s visibility with the Board Implement the Standards communications requirements with the Board Evaluate if reporting style and approach should be revised and enhanced Coordinate with legal counsel on reporting guidelines Communication with the Board 1111 – Direct Interaction with the Board The chief audit executive must communicate and interact directly with the board. NEW Standard

15. 14 Discussion Questions Communication with the Board Does your IA function have any plans to change their current level of interaction with the Board or AC? In the current economic climate, have there been changes in requests from the Board? –Frequency? –Level of information? Does your IA function plan to change the type of reporting?

16. 15 © 2010 Protiviti Inc. An Equal Opportunity Employer.