9/30/2015
Works like a Charm:
Combined Shops
of
Audit, Compliance and Privacy!
(Professional Development and Leadership Track)
Thursday Oct 1, 2015 – 8 - 9.40a
Sonal J. Shah, CPA, MSPA, CHC, CGMA
Senior Director, Compliance, Ethics and ERM
Office of Audit, Compliance and Privacy
Stanford University
2015 ANNUAL CONFERENCE
Indianapolis
Career Profile




Public Accounting Firms
Aetna
Yale New Haven Health System
Landmark Medical Center
2015 ANNUAL CONFERENCE
Indianapolis
1
9/30/2015
Career Profile
 Tufts Medical Center
 Hartford HealthCare
 Harvard University
– School of Dental Medicine
 Stanford University
2015 ANNUAL CONFERENCE
Indianapolis
Career Profile
Responsible for:
 Internal Audit, Compliance, Ethics,
Privacy, Risk, Conflict of Interest,
Enterprise Risk Management,
Investigations, Financial Analysis, …
2015 ANNUAL CONFERENCE
Indianapolis
2
9/30/2015
Stanford – Tone at the Top
“As a member of the Stanford University
community, each of us is responsible
for maintaining the highest ethical
standards and performing activities
with the utmost integrity and
fairness.”
– John Hennessy, President
2015 ANNUAL CONFERENCE
Indianapolis
Organization Chart
2015 ANNUAL CONFERENCE
Indianapolis
3
9/30/2015
Stanford - The Office of Audit, Compliance and Privacy
Mission
To provide Independent and Objective Assurance, Consulting and Investigative Services
designed to Add Value and Improve Operations.
Assurance Services
Consulting Services
Investigative Services
2015 ANNUAL CONFERENCE
Indianapolis
Vision
To be a Valued Partner and Advisor to Management, Faculty and
the Audit, Compliance and Risk Committee.
 Internal Audit
 Stanford University incl. School of Medicine
 SLAC National Accelerator Laboratory
 Stanford Management Company
 Stanford Health Care
 Lucile Packard Children’s Hospital
 Compliance, Ethics, Enterprise Risk Management and Investigations
 Stanford University incl. School of Medicine
 SLAC National Accelerator Laboratory
 Stanford Management Company
 Privacy
 Stanford University incl. School of Medicine
 SLAC National Accelerator Laboratory
 Stanford Management Company
2015 ANNUAL CONFERENCE
Indianapolis
4
9/30/2015
Disclaimer
(To prevent any incorrect understanding)
 My Individual View
 Not that of Stanford University or any of
my Previous Employers
2015 ANNUAL CONFERENCE
Indianapolis
Organization of Functions
 Interesting!
 Controversial?
 No Right Way or Wrong Way
of Organizing these Functions!
2015 ANNUAL CONFERENCE
Indianapolis
5
9/30/2015
University Stakeholders
 Students

Education and Learning
 Governmental and Private Sponsors

Research
 Donors

Various Causes and Activities
 Patients and Insurers

Patient Care
2015 ANNUAL CONFERENCE
Indianapolis
Growth of Functions
 Historical Perspective
 Traditional Acceptance
 Not-for-Profit World
2015 ANNUAL CONFERENCE
Indianapolis
6
9/30/2015
Internal Audit
 Financial Statements


(Re)View, Verify, Validate
Tests of Completeness, Validity, Accuracy, Existence,
Relevance, etc.
 External Auditors and Internal Auditors
 Independence and Objectivity
 Process and Controls
2015 ANNUAL CONFERENCE
Indianapolis
Internal Audit
2015 ANNUAL CONFERENCE
Indianapolis
7
9/30/2015
Compliance and Ethics




Fraud – Misuse of Monies
Defense Industry
Healthcare
Higher Education
2015 ANNUAL CONFERENCE
Indianapolis
Compliance and Ethics
 Federal Sentencing Guidelines
 The Seven Elements
 “Best Business Practices”
 Review, Reveal, Rectify
 Objectivity and Integrity
2015 ANNUAL CONFERENCE
Indianapolis
8
9/30/2015
Privacy
 HIPAA
 Health Insurance Portability and Accountability Act
 Protects the Privacy of Individually
Identifiable Health Information
 PHI – Protected Health Information
 The Privacy Rule, The Security Rule
 Office for Civil Rights (OCR)
2015 ANNUAL CONFERENCE
Indianapolis
Privacy
 FERPA
 Family Educational Rights and Privacy Act
 Protects the Privacy of Student
Education Records
 U.S. Department of Education
2015 ANNUAL CONFERENCE
Indianapolis
9
9/30/2015
Privacy
 Other Information – Employee related
 Part of PII – Personally
Identifiable Information
2015 ANNUAL CONFERENCE
Indianapolis
Bottom-line
 Review of Data/Information
2015 ANNUAL CONFERENCE
Indianapolis
10
9/30/2015
Purpose of Functions
 Strive to Ensure Funds Entrusted are Used
Responsibly and for their Intended
Purpose.
 Hence, promote actions of a Fiscally
Conscientious Nature.
2015 ANNUAL CONFERENCE
Indianapolis
Simple Message
2015 ANNUAL CONFERENCE
Indianapolis
11
9/30/2015
All Three – Based on a Set of Rules
 Internal Audit




Institute of Internal Auditors (IIA)
American Institute of Certified
Public Accountants (AICPA)
Code of Professional Conduct
Standards and Procedures
2015 ANNUAL CONFERENCE
Indianapolis
All Three – Based on a Set of Rules
 Compliance



The Federal Sentencing
Guidelines (FSG)
Society of Corporate
Compliance and Ethics (SCCE)
Health Care Compliance Association (HCCA)
2015 ANNUAL CONFERENCE
Indianapolis
12
9/30/2015
All Three – Based on a Set of Rules
 Privacy
 Privacy Rule
 Security Rule
 FERPA Regulations – For School
Officials, Students, Parents
2015 ANNUAL CONFERENCE
Indianapolis
All Three – Governance,
Organization and Reporting
 Functionally – Audit, Compliance and
Risk Committee
of the Board of Trustees
(Directors, Regents)
2015 ANNUAL CONFERENCE
Indianapolis
13
9/30/2015
All Three – Governance,
Organization and Reporting
 Administratively – President – Cabinet
(Senior Management Group)
 Chief Financial Officer?
 Chief Legal Officer/General
Counsel?
2015 ANNUAL CONFERENCE
Indianapolis
All Three – Charters
 Charter

The Audit, Compliance and Risk Committee
 Charter

Audit, Compliance and Privacy Office
2015 ANNUAL CONFERENCE
Indianapolis
14
9/30/2015
All Three – Assessment of Risk
 Enterprise Risk

Risk Matrix, Risk Profiles
 Compliance Risk


Risk List
Data Collection Forms
 Audit Risk


Meetings with Clients
Fraud Questionnaires, Attestation Forms
2015 ANNUAL CONFERENCE
Indianapolis
All Three – Risk-based Annual Plan







Public Expectations
Governmental Activity
Senior Management Priorities
Client Input
External Audit Results
Peer Objectives
Best Business Practices
2015 ANNUAL CONFERENCE
Indianapolis
15
9/30/2015
All Three – Process





Reviewing
Auditing
Monitoring
Assessing
Investigating
2015 ANNUAL CONFERENCE
Indianapolis
All Three – Investigations
 More than one Helpline?
2015 ANNUAL CONFERENCE
Indianapolis
16
9/30/2015
All Three – Results, Follow-up




Observations/Findings
Management Action Plans
Modifying Process and Controls
Enforcement and Discipline
Goal - Reduce Risk and Exposure
2015 ANNUAL CONFERENCE
Indianapolis
All Three – Similar Products





Audit Report
Compliance Risk Assessment
Investigation Report
Memo to Management
Memo to File
2015 ANNUAL CONFERENCE
Indianapolis
17
9/30/2015
All Three – Reporting Format
 PowerPoints
 Dashboards




Trending
Analysis – by School, Functional Area, Category, Risk
Cumulative Totals
Progress – Red, Blue, Green
2015 ANNUAL CONFERENCE
Indianapolis
All Three – Audience





Client Areas – Functional Owners
Senior Management
Audit, Compliance and Risk Committee
Governmental Agencies
External Auditors
2015 ANNUAL CONFERENCE
Indianapolis
18
9/30/2015
All Three – Training and Education
 New Employee Orientation
 Face X Face
 Web-based



Video Clips
Position Papers
FAQs
2015 ANNUAL CONFERENCE
Indianapolis
All Three – Back-office Services
 Overhead
Contribution – Assurance Service
2015 ANNUAL CONFERENCE
Indianapolis
19
9/30/2015
All Three – Staffing
 Qualifications
 Skill Sets
 Attitude/Mindset
2015 ANNUAL CONFERENCE
Indianapolis
All Three – Safeguarding against
Fraud, Waste and Abuse
2015 ANNUAL CONFERENCE
Indianapolis
20
9/30/2015
Fraud, Waste & Abuse
Want to ensure that we use the monies given to us
and the funds entrusted to us as effectively as possible With No:
FRAUD
Intentionally, knowingly and willfully attempting to execute a scheme of falsely
obtaining payment from federal, state or other governmental organizations.
WASTE
Spending that can be eliminated without reducing quality of the service or product.
ABUSE
Improper behavior or billing practices that create unnecessary costs.
2015 ANNUAL CONFERENCE
Indianapolis
All Three – Fraud, Waste and Abuse
Fraud Triangle
Privacy Triangle?
2015 ANNUAL CONFERENCE
Indianapolis
21
9/30/2015
All Three – Fraud, Waste and Abuse
Fraud Exposure Rectangle
The Organization & Its Industry
2
3
Company’s Relationship w Other Entities
ACP
1
Management & Directors
Financial Results & Operating Characteristics
4
2015 ANNUAL CONFERENCE
Indianapolis
All Three – Fraud, Waste and Abuse
Privacy - Access of Data
2015 ANNUAL CONFERENCE
Indianapolis
22
9/30/2015
Conflict of Interest
Faculty Policy, Staff Policy on Conflict of Commitment and Interest
 Faculty and staff owe their primary professional allegiance to the university.
 All of the activities undertaken should be performed with the best interest of
the University, Sponsors, Students, Donors and Patients in mind.
 Research should be conducted with integrity.
 There should be no actual or perceived personal gain for the University
Community Member or his/her family and friends.
2015 ANNUAL CONFERENCE
Indianapolis
Audit, Compliance and Privacy…
2015 ANNUAL CONFERENCE
Indianapolis
23
9/30/2015
Yesterday - Audit, Compliance
and Privacy…
2015 ANNUAL CONFERENCE
Indianapolis
Tomorrow…
2015 ANNUAL CONFERENCE
Indianapolis
24
9/30/2015
2015 ANNUAL CONFERENCE
Indianapolis
Looking to be Partners…
2015 ANNUAL CONFERENCE
Indianapolis
25
9/30/2015
Questions and Comments
2015 ANNUAL CONFERENCE
Indianapolis
26