2015-11-18-Supplemental2-ASU-Audit-Reports
advertisement
Arizona State University McCord Hall Construction Contract Audit Report - Number 15-04 January 30, 2015 This page left blank intentionally. Arizona State University McCord Hall Construction Contract Audit Report - Number 15-04 January 30, 2015 Summary The audit of the McCord Hall construction contract was included on the Arizona State University (ASU) FY 2015 annual audit plan approved by the Arizona Board of Regents (ABOR) Audit Committee and university senior leadership. University construction projects have been identified as strategic, high-risk areas since charges to the project may not comply with the negotiated contract, resulting in overcharges, cost overruns, and process inefficiencies. Construction administration and project monitoring for ASU is provided by the Capital Programs Management Group (CPMG). University Audit (Audit) previously completed audits of construction contracts administered by CPMG in: • FY2014 - Audit Report Number 14-03 Sun Devil Fitness Complex Polytechnic Campus Construction Contract issued in November 2013. • FY2013 - Audit Report Number 13-04 Interdisciplinary Science and Technology Building 4 (ISTB4) Construction issued in January 2013. • FY2008 - Audit Report Number 09-04 Hassayampa Academic Village Contract Administration issued in April 2008. Background: McCord Hall was constructed to help the W. P. Carey School of Business (school) achieve one of its chief objectives of nurturing a robust graduate community culture that encompasses all of the W.P. Carey Graduate Programs, reflecting the growth and prominence of the school. McCord Hall is home to Executive Education programs and several Master’s programs within the school. The building also accommodates MBA Administration and Career Management services for graduate students. Although focused on graduate studies, McCord Hall also is home to the undergraduate Leaders Academy, a community designed for the school’s top undergraduate students. McCord Hall was added to the school’s two existing structures, which were renovated during the construction of McCord Hall. Together, they ease overcrowding for the 10,000-plus students who attend the school. The facility consists of two four-level sustainable structures linked by long-span skyways. McCord Hall is approximately 129,000 gross square feet, and earned a LEED gold certification. Modern architecture with a dramatic facade of corduroy exterior brick pattern, sloping walls, and an intimate courtyard define this state-of-the-art building. The project won two awards from the American Concrete Institute Arizona, for Best Overall Project and Exposing the Best in Concrete. Most recently, the project was acknowledged by the Arizona Masonry Guild with a Craftsmanship Award and Honor Award, and at the regional ENR (Engineering News-Record) Southwest Awards as the Best Education Project in 2014. Page 1 of 15 Arizona State University McCord Hall Construction Contract Audit Report - Number 15-04 January 30, 2015 The project was completed using the Construction Manager at Risk (CM@Risk) project delivery method. The CM@Risk provides technical assistance to the designer during the design phase, including constructability reviews, cost estimates, and product specifics to aid in cleaner designs, and provides a fixed price for the contract, called a Guaranteed Maximum Price, for construction. The majority of construction at ASU uses this method now. The CM@Risk selected for this project was DPR Construction (DPR). To select the CM@Risk, a qualified selection committee (committee) was initiated for the request for qualifications, and a licensed contractor was placed on the committee. Packages that were received were ranked by the committee. The committee short listed three firms after weighing the criteria included in the request for qualifications. All of the firms were qualified to perform the required services for the construction of McCord Hall. The ASU Project Manager served on the committee; as individuals from the firms were interviewed, the proposals were assessed and ultimately DPR was selected. The process was in compliance with Arizona Board of Regents policy and the contract requirements during the selection process. The contract with DPR (contract) included pre-construction design-phase services as well as construction-phase management, including coordinating all subcontracted work. Two contracts were used with the CM@Risk during this project, the “University Standard Form Agreement Between Owner and CM@Risk on the Basis of a Guaranteed Maximum Price” dated April 19, 2010, for the design phase of the project, and the “University Standard Form Agreement Between Owner and CM@Risk on the Basis of a Guaranteed Maximum Price” dated October 31, 2011, for the construction phase of the project. Audit has made recommendations in previous construction audits for construction projects that used these contract editions. Because the construction phase of McCord Hall was 60% complete at the time these recommendations were made, the recommendations were not implemented for the McCord Hall construction project. ASU constructed the facility on the Tempe campus for a final Guaranteed Maximum Price (GMP) of $41.0 million. The initial scope of work was subject to a ceiling price of $38.4 million as originally fixed in the contract. However, changes in the scope of the construction project encountered during the Construction Phase necessitated additional work, modified work or deleted work, all of which added $2.6 million of additional costs documented in Change Orders to the original GMP, resulting in the final total GMP of $41.0 million (see the table on page 4). Funding for the project, including funding the Change Orders, was provided through the sale of ASU System Revenue Bonds and gifts. ABOR granted Project Implementation Approval for the project in December 2010. The Capital Committee reviewed the project and ABOR Project Approval was subsequently granted in September 2011 for $57.1 million. Page 2 of 15 Arizona State University McCord Hall Construction Contract Audit Report - Number 15-04 January 30, 2015 The Total Project Budget Amount was $57.1 million (see the table on page 4), which included GMP construction contract costs of $41.4 million; as well as architectural services, furniture and equipment, telecommunications equipment and installation, CPMG project management expenses, state risk management insurance expenses, and other required costs, totaling an additional $15.7 million. The CM@Risk performed Design Phase Services during the Pre-Construction Phase of the project to determine constructability of the facility, including review of the architectural design and drawings, value management and engineering, preliminary schedule formulation, subcontractor scope clarification, and development of a Guaranteed Maximum Price. The responsibilities of the CM@Risk during the Construction Phase of the project included overseeing construction for conformance to drawings and specifications, reviewing and certifying amounts due to subcontractors, managing Change Orders, building inspections, and following Project Closeout procedures. Page 3 of 15 Arizona State University McCord Hall Construction Contract Audit Report - Number 15-04 January 30, 2015 Description of the McCord Hall Contract Phases Initial Pre-Construction Phase Fee Expenditures $329,180 Increase in Pre-Construction Phase Fee via Change Order 1 Final Pre-Construction Phase Fee 1,323 $330,503 Initial Construction Phase GMP $38,400,000 Net Change Orders #1 through #10, as of June 24, 2013 Final Construction Phase GMP 2,619,432 $41,019,432 Total Pre-Construction Phase Fee and GMP as of June 24, 2014 Architect/Engineer, Surveys and Tests $41,349,935 $5,447,513 Furniture Fixtures Equipment, Telecommunications Equipment 7,860,058 Project Management Expenses and Fees, State Risk Insurance 502,736 Renovation, Special Equipment, Site Development 178,058 Anticipated Costs for additional Project Management Expenses and Fees, and State Risk Insurance Uncommitted Budget 1,159,834 51,866 Decrease in Budget Funding 500,000 Total Other Required Project Costs $15,700,065 Total Budget Amount as of September 30, 2014 $57,050,000 The contract was signed on November 3, 2011, and called for substantial completion of the facility by June 18, 2013. CPMG indicated satisfaction with the quality of the work and that the CM@Risk completed work during the required timeframe. Audit Objectives: To determine that financial transactions relating to construction activity for the McCord Hall construction project complied with the terms of the contract, including whether or not: • Contractor billings were adequately supported by actual costs plus overhead, profit, and fees as specified by the construction contract; Page 4 of 15 Arizona State University McCord Hall Construction Contract Audit Report - Number 15-04 January 30, 2015 • • • • Controls over the process were adequate and in accordance with contract provisions; Change Orders were priced according to the contract terms and were properly approved; The CM@Risk provided the contracted scope of work; and Insurance coverage during construction was in compliance with the terms of the contract. Scope: Our audit included a review of the design phase and all construction-phase expenses paid to the CM@Risk from the start of the contract in 2010 through the end of construction in June 2013, including Change Orders #1 through #10 processed through June 2013, and four additional post-construction phase Change Orders #1 to #4 processed from July 2013 through April 2014. CPMG did not expect any additional Change Orders to be processed after April 2014. We relied on CPMG’s expertise for the construction technical aspects, and, therefore, our scope of work did not include any on-site inspections to assess construction methods, materials or compliance with design specifications. Methodology: Our audit objectives were accomplished through: • Preparing a control schedule of the initial GMP, Change Orders, and payment applications to ensure payments to the CM@Risk did not exceed the approved GMP; • Selecting a sample of two out of twenty-five payment applications, one from early in the project and one from the middle of the project, and comparing the information in the payment applications to the detail the subcontractors had submitted to the CM@Risk supporting the amounts approved in the payment applications; • Reviewing ASU payments to vendors other than CM@Risk to ensure the expenses were allowable costs and not included in the existing CM@Risk contracted scope of work; • Reviewing the payments paid by CM@Risk to subcontractors and vendors for the actual cost of the work performed, including preparing a control schedule for all subcontractors under subcontract agreements, to ensure that the CM@Risk billed ASU for allowable costs; • Discussing the project with representatives from CPMG including the Executive Director, Assistant Director, Project Manager Senior, and with representatives from University Business Services (UBS), including the Manager of Purchasing and Office Specialist Senior; • Verifying all required insurance coverage and bonds were maintained during the project; • Recalculating the overhead, general conditions and fees charged by the CM@Risk and the subcontractors on all Owner/ASU Change Orders, ensuring the fees were in accordance with the Change Order pricing provisions in the contract; Page 5 of 15 Arizona State University McCord Hall Construction Contract Audit Report - Number 15-04 January 30, 2015 • • • • • • Preparing a control schedule to facilitate a pricing review of Change Orders (all Owner/ASU Change Orders with costs totaling $2,619,432 for the Construction Phase and with costs totaling $68,127 for the Post-Construction Phase were reviewed), including: recalculating the bonds, insurance, and taxes charged; reviewing the supporting documentation to ensure the Change Order amounts agreed to subcontractor quotes; and checking that the changes were reasonable and properly approved; Reviewing Owner/Design Contingency and Contractor Contingency Logs for approvals, supporting documentation and backcharges; Ensuring the selection of the Architect was performed in compliance with ABOR and ASU policies under the “Design Professional Agreement (CM@Risk/Operating Manual/Multiple Projects Form)” dated February 26, 2010; Ensuring the cost estimating and bidding process was performed in compliance with contract provisions under the “University Standard Form Agreement Between Owner and CM@Risk on the Basis of a Guaranteed Maximum Price” dated October 31, 2011; Reviewing subcontracts and bid documents for the seven largest subcontractors to ensure the contract terms were consistent and in compliance with the contract; and Reviewing for proper application of the Transaction Privilege Tax (TPT). Conclusion: Based on our audit work, contractor billings were adequately supported by actual costs plus overhead, profit, and fees as specified by the construction contract. The financial transactions relating to construction activity, by both CPMG and the CM@Risk, complied with the terms of the contract. Documentation for payment applications, Owner Change Orders, and payments by CPMG was in order and complete. Regarding Construction General Conditions and cost verification, there are opportunities to improve the process of determining the cost of the Construction General Conditions and further strengthen processes for cost control. Controls over the design and construction process were adequate and in accordance with contract provisions, with the project being completed within budget and the CM@Risk providing the contracted scope of work. Similar to findings in prior construction audits, tThe architectural fees paid by ASU exceeded the calculated fee from the Arizona Board of Regent’s Construction Cost Control and Professional Fee Guidelines. University Audit recommends compiling a historical cost database of architectural services that can be used to compare against future additional architectural services to help determine fees that are fair and reasonable to the University per ABOR Policy Number 3-804B.5 Professional Services and Construction Services Procurement. Determining architectural fees that are fair and reasonable to the University was also recommended in the Sun Devil Fitness Complex Polytechnic Campus Construction Contract Audit issued in November 2013, and in the Page 6 of 15 Arizona State University McCord Hall Construction Contract Audit Report - Number 15-04 January 30, 2015 Interdisciplinary Science and Technology Building 4 (ISTB4) Construction Audit issued in January 2013. Per ABOR Policy Number 7-102 Overview of the Capital Development Process and Phases, article E.1 says that the Regent’s Construction Cost Control and Professional Fee Guidelines or other industry cost guidelines or internal historical data (“Guidelines”) are to be considered when estimating architectural fees to ensure the reasonableness of architectural cost estimates. CPMG is working with the ABOR System Office to review ABOR Policy Number 7-102 for potential revisions. The CM@Risk self-performed a portion of the construction work on McCord Hall. When the CM@Risk self-performs the work, the CM@Risk is functioning as a subcontractor. To verify the reasonability of the cost of self-performed work, Best Practices dictate receiving at least three competitive bids for all the work performed. Alternatively, self-performed work could be competitively priced with a separate pricing and scoping document explicitly defining scope, labor rates, materials, and pricing method. While three bids were received for a portion of the materials supplied by the CM@Risk for the self-performed work, since the bids did not include labor costs, and since the self-performed work was not competitively priced with a separate pricing and scoping document, there was no independent assurance on the reasonability of the costs. In regards to cost verification and similar to findings in prior construction audits, Audit noted that CPMG did not receive supporting documentation from the CM@Risk sufficient to complete a detailed review of the amounts paid by the CM@Risk to the subcontractors and vendors. CPMG also did not receive supporting documentation, including documentation for Construction Contingency Change Orders, sufficient to perform an in-depth review of the costs billed to ASU by the CM@Risk to determine whether ASU was only being billed for allowable costs, but the costs billed were within the contracted total GMP. Because the university relies on the contracted total GMP to serve as the cost control for construction projects, it is important that every aspect of the contract cost negotiation process be researched, negotiated, and documented properly. In addition, reconciling the CM@Risk payment applications to documentation supporting costs of construction as these progress payments are paid facilitates the performance of the contract final close-out process. Any savings due the university, arising from the difference between the GMP and the cost of construction as required in Section 7.1.2 of the construction contract, can be identified in a timely manner throughout the construction process. With this in mind, Audit sought to independently verify insurance costs which had been separately enumerated in the contract. Audit requested copies of insurance certificates for insurance payments as proof of actual existence of insurance and bond coverage. The CM@Risk did not provide insurance certificates for Subguard Insurance. In previous audits, Audit sought advice from the ASU General Counsel staff, which after reviewing the TriPage 7 of 15 Arizona State University McCord Hall Construction Contract Audit Report - Number 15-04 January 30, 2015 University construction contract, determined that the CM@Risk was not required to provide Audit with the original supporting documentation of the CM@Risk’s actual insurance costs (paid invoices or cancelled checks) under the terms of the current Tri-University standard construction contract template. The Tri-university construction contract requires the CM@Risk provide the University with certificates of insurance evidencing coverage. Audit recommends that ASU Management continue to work with the Tri-University Construction Contract Committee to review the insurance provisions of the standard construction contract to seek to reduce potential risk to the Universities. Page 8 of 15 Arizona State University McCord Hall Construction Contract Audit Report - Number 15-04 January 30, 2015 The control standards we considered during this audit and the status of the related control environment are provided in the following table. General Control Standard (The bulleted items are internal control objectives that apply to the general control standards, and will differ for each audit.) Reliability and Integrity of Financial and Operational Information • Contractor billings were adequately supported by actual costs incurred by the CM@Risk, plus fee, tax, and bonds and insurance charges as specified by the contract. • Cost estimating, independent cost verification, bidding, and pricing of architectural fees were in accordance with policies and contract provisions. Effectiveness and Efficiency of Operations Safeguarding of Assets • • Finding No. Page No. NA NA 1,2,3 10,11,13 NA NA NA NA Reasonable to Strong Controls in Place NA NA Reasonable to Strong Controls in Place NA NA Reasonable to Strong Controls in Place Opportunity for Improvement Not Applicable Reasonable to Strong Controls in Place The CM@Risk provided the contracted scope of work. Compliance with Laws and Regulations • Control Environment Owner Change Orders were priced according to the contract terms and were properly approved. Insurance coverage during construction was in compliance with the terms of the contract. We appreciate the assistance of CPMG, UBS and DPR representatives during the audit. ____________________________ Gordon Murphy, CPA, CFE, MAEd Internal Auditor Senior _______________________________ Tracy Grunig, CPA, CFE, CISA, MPA Chief Audit Executive Page 9 of 15 Arizona State University McCord Hall Construction Contract Audit Report - Number 15-04 January 30, 2015 Audit Results, Recommendations, and Responses 1. Construction General Conditions Should Be Further Verified for Reasonability Condition: University Audit noted that Billing Rates charged by the CM@Risk exceeded the Billing Rates allowed under the contract. Billing Rates for labor costs (Billing Rates) within Construction General Conditions need to be verified by ASU with the market to ensure the Billing Rates are not excessive and are competitively market priced. Also, for labor costs and site support costs within Construction General Conditions, supporting detail for these costs should be included in all payment applications by the CM@Risk to allow for verification that amounts paid to the CM@Risk for these costs are correct. Criteria: The CM@Risk Tri-University Agreement (Agreement) requires that costs for Construction General Conditions be paid by ASU to the CM@Risk for allowable costs only, and for actual costs or negotiated amounts determined to be fair and reasonable to the University. Labor costs within Construction General Conditions can be based on actual costs or independently competitively priced with a separate pricing and scoping document explicitly defining scope (including tiers of CMAR superintendents, engineers, etc.), Billing Rates, and pricing method. ASU can decompose and benchmark underlying costs before agreeing to the lump sum terms. In each payment application, the CM@Risk should include supporting detail including invoices for site support costs. Cause: A process had not been identified to determine the propriety of labor costs and site support costs within Construction General Conditions. Regarding this process, in the Sun Devil Fitness Complex Polytechnic Campus Construction Contract audit issued in November 2013, CPMG stated that the Tri-University Construction Task Force would review these issues on Construction General Conditions and provide all three universities guidance for resolution and ratification. Effect: Following the cost control processes required by contract provisions could help prevent potential overcharges and cost overruns, prevent unallowable costs and mark-ups on Construction General Conditions, and help to ensure that the University pays a fair and reasonable amount for its new facilities. Recommendation: Billing Rates and site support costs need to be based on actual cost or verified with the market by ASU to ensure they are not excessive. Supporting detail for labor costs and site support costs should be included in all payment applications by the CM@Risk to allow for verification that amounts paid to the CM@Risk for these costs are stated and disbursed properly. Page 10 of 15 Arizona State University McCord Hall Construction Contract Audit Report - Number 15-04 January 30, 2015 Management Response: Concur. Requesting employee payroll information (particularly for senior project personnel) has been met with resistance from the Contractor community in the past as it potentially jeopardizes their employee retention leverage with competitor Contractors. A preferred approach would be to establish an ABOR accredited regional market rate for the construction industry at 3 AZ University locations which would be updated annually and include average hourly rates for GC general condition employees, i.e. project manager, asst. project manager, project superintendent, sight safety manager, which could be used to ensure billing rates are not excessive. Perhaps the ASU School of Construction could assist in the development and management of database of average personnel (overhead) market rates for the construction industry. 2. Supporting Documentation was not provided Substantiating Subcontractor Bidding Costs and cost of self-performed work. Condition: The construction phase GMP of $41 million included $31.3 million paid to subcontractors and for self-performed work, of which $19.2 million was bid appropriately, with the lowest bid selected from at least three bids for these trades. While the CM@Risk received three bids for the material portion of the self-performed work, documentation reflecting the lowest responsive and responsible subcontractor bids from at least three bids and documentation for independent price reviews for self-performed work for the remaining amount of $12.1 million paid to subcontractors and for self-performed work, for the purpose of verifying additional cost savings for ASU, was not provided. For work self-performed by the CM@Risk (self-performed work), the University was to select one or more independent qualified persons to review the CM@Risk Price Submission to ASU. The reviewer was to report to the University and to the CM@Risk whether the reviewer found the Price Submission to be reasonable and appropriate for the Construction Work to be performed. Criteria: The contract requires the use of independent cost verification control procedures during the various design phases of the building, including obtaining at least three bids for each subcontracted trade, and price reviews for self-performed work to prevent overcharges and cost overruns. Sections 2.2.4.7 and 2.2.4.8 of the General Conditions to the contract state, “If the CM@Risk becomes aware prior to any bid date that less than three (3) prequalified subcontractors plan to bid any portion of any Bid Package, the CM@Risk shall promptly notify the Owner,” and “A proposal to accept other than a low lump sum bid shall be justified in writing by the CM@Risk with sufficient detail to satisfy Owner, and be subject to prior written approval by Owner.” Page 11 of 15 Arizona State University McCord Hall Construction Contract Audit Report - Number 15-04 January 30, 2015 When the CM@Risk self-performs the work, the CM@Risk is functioning as a subcontractor. To verify the reasonability of the cost of self-performed work, Best Practices dictate receiving competitive bids for the work. Alternatively, self-performed work could be competitively priced with a separate pricing and scoping document explicitly defining scope, labor rates, materials, and pricing method. Cause: CPMG stated that independent cost verification control procedures were followed, but because CPMG could not find written documentation verifying the completion of financial control processes and procedures, CPMG does not know if the procedures were fully documented. Effect: Following the cost control processes required by ABOR Policies and contract provisions can help prevent substantial amounts of overcharges and cost overruns, and demonstrate that the University pays a fair and reasonable amount for its new facilities. ABOR Policy Number 3-804 B.5 Professional Services and Construction Services Procurement requires that negotiations for construction services are to include consideration of compensation to be fair and reasonable to the University. Recommendation: To ensure compliance with ABOR Policies and contract requirements for independent cost verification and subcontractor bidding, CPMG should complete all cost control procedures and maintain written documentation verifying that these procedures have been completed. Management Response: Concur, however, do not necessarily agree with $12.1M figure reported as undocumented sub-Contractor/self-performed work requiring documentation of minimum of 3 qualified bids (see chart below) There is approximately $2.6M included in the $12.1M figure which is associated with a preselected vendor for design assist (W&W Design Assist) Although this work was not competed, it was pre-approved in accordance with contract requirements and should not be included in the $12.1M figure. There is a line item for construction contingency in the amount of ~ $1.6M which should also not be included as “subcontractor bidding” requirement, as it is not specifically assigned to a designated work item or associated with a specific subcontractor. This allocation augments existing sub-contractors and would not be competed, validated but not competed. CPMG is responsible for ensuring proper documentation and auditability of project execution is in full compliance with contract requirements. CPMG will implement a standardized project filing format which all CPMG PMs will adhere to. Project file template will include specific location for filing of all required bid documentation. Page 12 of 15 Arizona State University McCord Hall Construction Contract Audit Report - Number 15-04 January 30, 2015 McCord Audit Bid Delta W&W Design Assist Sub $2,610,789 Pre-selected for design assist, competition not feasible DPR Self-perform 3,741,346 $1,174,862 of material bids were competed, labor not Construction Contingency 1,611,667 Competition not required, only validation Bids not per Contract 3,177,071 CPMG could not provide auditable documentation 1,026,093 Items in this category include electric and utility bills, small purchases, time sensitive procurements that are not reasonable to compete. Pay App Misc. Items Audit Not Bid Total $12,166,966 3. Final independent corroborating cost estimate was not provided by the CM@Risk. Condition: Per ABOR Policy Number: 7-109 Project Approval, to ensure that the University paid a fair and reasonable amount for the new facility, upon completion of construction documents an independent corroborating cost estimate was to be completed by an outside cost estimating consultant and compared against the final CM@Risk Construction Cost Estimate for the purpose of verifying that the amount charged to the University by the CM@Risk under the contract was not excessive. Criteria: The contract requires the use of independent cost verification control procedures during the various design phases of the building, including outside corroborating cost estimates. Section 2.2.3.4 of the General Conditions to the contract says, “The CM@Risk shall prepare an estimate of Construction Cost as soon as major Project requirements have been identified, and update the estimate for each submittal of the Design Submission Documents specified in 1.2.12 of the General Conditions.” Cost estimates were required by the CM@Risk at the Programming, Schematic Design, Design Development, and Construction Documents phases, and to be independently prepared from cost estimates at the same phases prepared by the Design Professional. The cost estimates of the CM@Risk were to be compared to the estimates of the Design Professional. Audit could verify that only Page 13 of 15 Arizona State University McCord Hall Construction Contract Audit Report - Number 15-04 January 30, 2015 two of the eight required estimates were completed. ABOR Policy Number 3-804 B.5 Professional Services and Construction Services Procurement requires that negotiations for construction services are to include consideration of compensation to be fair and reasonable to the University. Cause: The required Construction Cost Estimates were not provided by the CM@Risk and Design Professional at all design phases of the building. Effect: Completion of cost estimates, as required by ABOR Policy, can help prevent substantial amounts of overcharges and cost overruns, and demonstrate that the University pays a fair and reasonable amount for its new facilities. Recommendation: To ensure compliance with ABOR Policies, the CM@Risk and Design Professional should complete construction cost estimates. Management Response: Performing a total of 8 cost estimates during the programming through construction phase is expensive and does not always provide measurable value added. Cost estimates associated with future contract requirements should be based on a project specific basis, i.e. for large, complex projects – ASU should require up to 8 cost estimates, for smaller, less complex projects – reduce the number of cost estimates accordingly, not less than 2 (1 from CMAR and 1 independent from DP). CPMG shall ensure that all cost estimates are performed and documented in accordance with contract requirements. Leadership within CPMG shall perform internal quality assurance checks throughout life of a project to ensure contract requirements and administrative policies are in compliance. Page 14 of 15 Arizona State University McCord Hall Construction Contract Audit Report - Number 15-04 January 30, 2015 Distribution: Arizona Board of Regents Audit Committee Michael M. Crow, President Morgan R. Olsen, Executive Vice President, Treasurer and Chief Financial Officer José A. Cárdenas, Senior Vice President and General Counsel Joanne Wamsley, Vice President of Finance Lisa S. Loo, Deputy General Counsel Bruce Nevel, Associate Vice President, Facilities Development and Management Bruce Jensen, Executive Director, Capital Programs Management Diane Rowley, Associate Director, Capital Programs Management Pollie Carter, Manager of Purchasing, University Business Services Todd Raven, Interim Assistant Director, Capital Programs Management Page 15 of 15 This page left blank intentionally. Arizona State University HIPAA Compliance Audit Report – Number 15-08 May 7, 2015 This page left blank intentionally. Arizona State University HIPAA Compliance Audit Report – Number 15-08 May 7, 2015 Summary The Health Insurance Portability and Accountability Act of 1996 (HIPAA) audit was included on the Arizona State University (ASU) FY 2015 annual audit plan approved by the Arizona Board of Regents (ABOR) Audit Committee and university senior leadership. This audit was conducted to evaluate the efficiency of the HIPAA process and university adherence to current policies and practices. The audit was requested to review university compliance with new initiatives created by the U.S. Department of Health and Human Services (HHS) and Office for Civil Rights (OCR) to more closely monitor and identify violations. Background: Arizona State University (ASU) provides health care and performs research activities that are subject to the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA’s purpose is to ensure the confidentiality, integrity and availability of individuals’ protected health information. The OCR enforces three rules related to HIPAA: 1. HIPAA Privacy Rule, which protects the privacy of individually identifiable health information. 2. HIPAA Security Rule, which sets national standards for the security of electronic protected health information (ePHI). 3. HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured protected health information. The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) establishes, for the first time, a set of national standards for the protection of certain health information. The HHS issued the Privacy Rule to implement the requirement of HIPAA. The Privacy Rule standards address the use and disclosure of individuals’ health information called Protected Health Information (PHI) by organizations subject to the Privacy Rule called covered entities, as well as standards for individuals' privacy rights to understand and control how their health information is used. The definition of PHI under HIPAA is broad and includes information maintained by or for the covered entity relating to a person's health, the care received and payment for services. Within the university, the covered entity is comprised of its health care components, clinic components, physicians' offices, self-insured health plans, and student health services. PHI does not include health information in employment records maintained by the university in its role as employer. Page 1 of 12 Arizona State University HIPAA Compliance Audit Report – Number 15-08 May 7, 2015 Currently there are six designated covered components at ASU: 1. 2. 3. 4. 5. 6. ASU Health Services ASU Counseling Services Speech and Hearing College of Nursing and Healthcare Innovations Health Clinics (CONHI) Center for Health Information and Research (CHiR) University Technology Office Effective February 18, 2010, in accordance with the Health Information for Economic and Clinical Health Act of 2009 (HITECH), a Business Associate Agreement (BAA) disclosure, handling and use of PHI must comply with HIPAA Security Rule and HIPAA Privacy Rule mandates. Under the HITECH Act, any HIPAA business associate that serves a health care provider or institution is now subject to audits by the OCR within the HHS and can be held accountable for a data breach and penalized for noncompliance. Non-compliance with HIPAA regulations can lead to both civil and criminal penalties. Violations of HIPAA could result in the following penalties: For violations occurring prior to 2/18/2009 For violations occurring on or after 2/18/2009 Penalty Amount Up to $100 per violation $100 to $50,000 or more per violation Calendar Year Cap $25,000 $1,500,000 The HIPAA Regulations require the university, as a covered entity, to have a BAA whenever a non-university person or entity provides services to the university involving the use or disclosure of the university's protected information. HIPAA requires that agreements with business associates include specific provisions. The university has standard HIPAA BAA’s that should be used whenever a business associate agreement is required. Audit Objectives: The objectives of the audit engagement were to review all six covered entities at ASU subject to HIPAA regulations and assess the level of compliance with applicable policies and procedures and state and federal regulations as it relates to PHI. In addition, perform a review of the controls in place surrounding the HIPAA process to identify gaps and mitigate risks associated with the PHI. Page 2 of 12 Arizona State University HIPAA Compliance Audit Report – Number 15-08 May 7, 2015 Scope: The scope of this audit encompassed assessing the purpose and relevancy of PHI-related data uses, controls and exposures for ASU. University Audit (Audit) gained an understanding of the process and controls over the designated covered entities through reviewing supporting documentation and holding interviews with applicable staff. Methodology: Audit performed a review of the current controls surrounding HIPAA regulations as it relates to ASU covered entities. Audit interviewed HIPAA Privacy and Security Officers from the following covered entities: ASU Health Services, ASU Counseling Services, Speech and Hearing, CONHI, and CHiR. During interviews conducted with Privacy and Security Officers, the following topics were discussed: • Policies and procedures followed related to the storage and retention of PHI and ePHI. • Training provided to staff that contact or interact with PHI and ePHI. • Required forms to be completed by personnel and staff handling PHI and ePHI. • Measures taken to ensure the security of ePHI on the system network. • Requirements needed to be met to gain access to PHI and ePHI information. • Background check requirements before access to PHI and ePHI are granted. • Personnel and staff’s level of satisfaction of the current systems in place related to PHI and ePHI. • The level of interaction with other covered entities (Privacy and Security Officers in other covered entities). Walkthroughs were performed to observe the physical security of PHI files and gain an understanding of who has access to PHI files. Page 3 of 12 Arizona State University HIPAA Compliance Audit Report – Number 15-08 May 7, 2015 Conclusion: Audit test work indicated that covered entities are in compliance with HIPAA regulations but an overall control environment could be strengthened. Recent changes to HIPAA regulations in 2012 increased the risks related to security of PHI and ePHI. A strong control environment is mandated; if a breach was to occur, ASU would have reputational risk as well as monetary fines assessed dependent on the severity of the breach. The evolution of the changing environment related to PHI and ePHI requires ASU to take proactive approaches to ensure all HIPAA standards and regulations are being not only met but exceeded. ASU is a unique and diverse institution that functions outside most normal facilities that need to meet HIPAA requirements. The constant evolution of the HIPAA process and uses of PHI and ePHI requires continual monitoring to assist in the mitigation of risks. While many of the requirements stipulated by HIPAA were disseminated across the university, there did not appear to be uniform consistency of knowledge among Privacy and Security Officers interviewed. A need was expressed to have a more active influence from the University Privacy Officer providing direction and guidance to the covered entities. It was noted during the audit the University HIPAA Privacy Officer has made multiple changes to the HIPAA process. With the continual evolvement of the HIPAA requirements, the university may want to consider providing additional help to the University Privacy Officer, to assist in the monitoring and functionality of the HIPAA process. In the remainder of this report, Audit has identified exceptions to the process and additional steps that could be taken to mitigate risks associated with HIPAA regulations. Page 4 of 12 Arizona State University HIPAA Compliance Audit Report – Number 15-08 May 7, 2015 The control standards we considered during this audit and the status of the related control environment are provided in the following table. General Control Standard (The bulleted items are internal control objectives that apply to the general control standards, and will differ for each audit.) Reliability and Integrity of Financial and Operational Information • Business Associate Agreements are utilized for vendors handling PHI • Properly monitoring access to PHI and ePHI Effectiveness and Efficiency of Operations • Proper channels for distribution of business practices related to PHI • Regular communication is provided to covered entities handling PHI • HIPAA training is properly monitored and tracked Safeguarding of Assets • • • Proper forms and background checks are being completed All personnel privy to PHI and ePHI have completed the HIPAA training PHI and ePHI is properly secured Control Environment Opportunity for Improvement Opportunity for Improvement Reasonable to Strong Controls in place Opportunity for Improvement Reasonable to Strong Controls in place Opportunity for Improvement Opportunity for Improvement Opportunity for Improvement Finding No. Page No. 4 8 5, 7 9, 11 N/A N/A 2 6 N/A N/A 6 9 3 7 1 6 N/A N/A N/A N/A Compliance with Laws and Regulations • ASU is following HIPAA regulations • Following ASU policies and procedures Reasonable to Strong Controls in place Reasonable to Strong Controls in place We appreciate the assistance of the University HIPAA Privacy and Security Officers and the University Privacy Officer. ________________________ Chris Crisci, CPA Internal Auditor Senior ________________________ Tracy Grunig, MPA, CPA, CISA, CFE Chief Audit Executive Page 5 of 12 Arizona State University HIPAA Compliance Audit Report – Number 15-08 May 7, 2015 Audit Results, Recommendations and Responses 1. Electronic Personal Health Information was stored on a local drive. Condition: Nursing staff at the CONHI improperly stored ePHI on a local server instead of the secured network. The information was stored on the local server as it related to the current process for depositing co-pay funds collected from patients at the time services were rendered. The ePHI was being used for financial and patient account reconciliation purposes. Criteria: Covered entities are required to store ePHI in a secure environment. Cause: Nursing staff were unaware that the local servers were not considered secure. It was believed that since only they had access, it was considered secure. Effect: ePHI stored on a local server instead of the secure Citrix server allows for greater access to the information. This increases the risk of a breach and the possibility of causing reputational and monetary damages to the university. Recommendation: Ensure all ePHI is removed from local servers. Review the current deposit process and modify process to de-identify or not include PHI as it relates to deposit and patient reconciliation purposes. Management Response: This recommendation has been initiated. The College of Nursing Privacy Officer is removing all ePHI from local servers and is revising the storage process. The university HIPAA Privacy Officer has reinforced university security practices reminding the department of effective security practices. Deadline for completion is December 31, 2015. 2. Increase the communication between HIPAA covered entities. Condition: Currently, no continuous line of communication exists between the HIPAA Security and Privacy Officers of the covered entities. Group meetings are not being mandated for the Security and Privacy Officers to encourage sharing and learning opportunities to increase the knowledge of the entities. Many of the entities are functioning in a similar manner and exhibiting similar risks and challenges related to HIPAA compliance regulations. Page 6 of 12 Arizona State University HIPAA Compliance Audit Report – Number 15-08 May 7, 2015 Criteria: Communication of the entities is significant to gain economies of scale and increase the knowledge of each entity. Scheduled meetings may improve the dissemination of new PHI and ePHI requirements as well as provide an open forum to discuss problems or obstacles the entity may be faced with. Cause: It has not been the practice of the university to have meetings for all covered entities. Effect: Not having a formal channel of distribution and training for departments is leaving the university in a vulnerable position related to PHI and ePHI requirements regulated by HIPAA. Recommendation: Conduct regular meetings with the Privacy or Security Officer attending. The regular meeting with personnel and staff from the covered entities could provide training and open forums to discuss obstacles or adversity they may be facing. Management Response: This recommendation has been implemented. The ASU HIPAA Privacy Officer and HIPAA Security Officer have implemented an annual communication plan including regular meetings (likely quarterly) and regular communications and cross-training opportunities. 3. Contracted janitorial staff cleaning in areas with HIPAA related information are not properly trained or aware of the regulations surrounding HIPAA information. Condition: Contracted janitorial staff has access to areas in the clinics and offices where PHI is stored. The janitorial staff had not completed the HIPAA training mandated by ASU. Criteria: Mandating all contracted janitorial staff to perform the HIPAA training course decreases the liability to the university and ensures having proper recourse if PHI is improperly shared or breached. Cause: Contracted janitorial staff with access to PHI was not required to complete the HIPAA training required by the university. Effect: Contracted janitorial staff could improperly and unknowingly share PHI, leaving the university in an unfavorable position by not providing proper documentation for legal recourse. Page 7 of 12 Arizona State University HIPAA Compliance Audit Report – Number 15-08 May 7, 2015 Recommendation: The covered entities should review all personnel who have access or may come in contact with PHI and require them to complete the mandatory HIPAA training course required by the university and have them sign a document agreeing to the completion and understanding of PHI information. Management Response: This recommendation has been initiated in Covered Entities (CE). A process has been worked out in Health Services that can be mirrored in other CEs. In addition, every CE engages in general privacy and security practices that limit exposure of PHI to janitorial staff. 4. No business associate agreement with Canon Inc. copiers exists. Condition: A business associate performs functions or activities on behalf of a covered entity that involves access to protected health information or a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. Cannon Inc. is responsible for performing maintenance and collection and redistribution of copiers. The copiers contain an internal hard drive allowing for the PHI to be stored on the copiers. This inadvertently gives Cannon Inc. access to university PHI. Business associate agreements are required with all partners that have access to PHI from the university. Criteria: Canon Inc. is the copy machine provider for the university. Larger copiers have hard drives stored in the machines and Canon Inc. is responsible for the maintenance and recollection and redistribution of the machines. Cause: Canon Inc. did not have a BAA filed with the university when the audit was conducted. Effect: BAA’s mandate the business handling PHI adhere to HIPAA rules and can be held accountable for a data breach and penalized for noncompliance. Without a signed BAA, the university could have less legal recourse on the company that has improperly stored, disposed, or shared PHI. Recommendation: Obtain a BAA from Canon Inc. ensuring they are responsible and aware of the requirements for proper handling of copiers used with PHI information. Page 8 of 12 Arizona State University HIPAA Compliance Audit Report – Number 15-08 May 7, 2015 Management Response: ASU agrees with this recommendation. The process for obtaining a BAA with Canon has been initiated with Sam Wheeler, Executive Director Business and Auxiliary Services. 5. Perform more thorough self-monitoring audit steps on access to PHI at the covered entries. Condition: Currently clinic staff are randomly selecting patients and reviewing who has accessed the patient’s information to see if there has been improper access to a patient’s record. Criteria: The sampling method does provide a level of assurance. However, a more judgmental sampling method should be used when performing self-monitoring audit steps. Cause: The clinics have always performed the review in this manner and the process has not been reviewed to identify a more efficient way of performing the review prior to this audit. Effect: By using a random selection of patients, clinic staff is not effectively gaining insight into who is accessing patient’s records. Limiting the review to a random sample is not conducive to identify the improper viewing of PHI by someone other than the intended person. Recommendation: Perform a more thorough review of PHI accessed. For example, obtain a list of physician’s known patients, and then review which patient files the physician have accessed outside of their known patients and determine the reason(s) for access to those patients. Management Response: ASU agrees with this recommendation. All CEs will be asked to provide the University Privacy Officer and Security Officer a more thorough and specific process for reviewing access to PHI. The scheduled deadline for submitting a plan is December 31, 2015 and the scheduled deadline for implementation is June 30, 2016. 6. Confidentiality agreements signed by all personnel using PHI. Condition: Currently it is not a requirement of the university to have all personnel handling or dealing with PHI sign a confidentiality agreement. Confidentiality Page 9 of 12 Arizona State University HIPAA Compliance Audit Report – Number 15-08 May 7, 2015 agreements provide legal documentation requiring an employee to sign a consent stating they understand general rules of PHI. Criteria: Mandating all employees handling PHI and ePHI to complete a confidentiality agreement may decrease the liability to the university and ensure proper legal recourse if PHI is improperly communicated or shared. Cause: It has not been the practice of the university to have staff and personnel sign confidentiality agreements in previous years. Effect: Without a signed confidentiality agreement the university could reduce the legal consequences of an employee found who has improperly shared or discussed PHI. With a confidentiality agreement, the university would have legal recourse and reduce the chances of being in an unfavorable position. Recommendation: Require all staff and personnel to sign a confidentiality agreement coinciding with the HIPAA training that is being mandated. Include this as part of the onboarding process and annual certifications. Confidentiality agreements could include information such as the following: • Protected Health Information (PHI) is considered confidential and should not be used for purposes other than its intended use. • Ethical and legal obligation to protect PHI used or obtained in the course of performing duties and understand that all policies on confidentiality apply equally to data stored on the computer and on paper records as well as information discussed. • Authorization to disclose PHI is made only by owners of the PHI and only on a need to know basis. • Unauthorized use of, or access to, PHI may result in discipline up to and including termination. Violation or breach of confidentiality, with regards to PHI, may also create civil or criminal liability. Management Response: ASU agrees with this recommendation. The HIPAA training module was revised. A “certification statement” will be added to the end of the training that will specifically state the above points in recommendation. Participants in the training are not be able to complete the training without certifying an understanding the general rules of PHI and University practice. This was added and part of the training released in summer 2015. Page 10 of 12 Arizona State University HIPAA Compliance Audit Report – Number 15-08 May 7, 2015 7. Roles and responsibilities of individuals utilizing and using PHI and ePHI are not documented and communicated to the entire organization. Condition: A document with the responsibilities (e.g., job description) including information related to the specific roles and responsibilities of individuals utilizing PHI and ePHI should be maintained to reinforce the security standards issued by the HHS. Criteria: Requesting departments to document the roles and responsibilities of individuals with access to PHI and ePHI will assist the covered entities and the University HIPAA Privacy Officer to clearly identify job duties and needs. In addition, provide a road map of who may be using PHI and ePHI allowing for reviews to be performed ensuring proper access. Cause: The data needed to provide this information to the University HIPAA Privacy Officer had not been considered or developed prior to this audit. Effect: Having a formal description of roles and responsibilities reported to the University HIPAA Privacy Officer could decrease the risk of staff and personnel improperly viewing or accessing PHI and ePHI. Roles and responsibilities documented can assist the University HIPAA Privacy Officer in identifying areas of concern within the organization. This could identify people accessing PHI and ePHI without a valid purpose. Recommendation: Mandate all covered entities create organizational charts including job descriptions, roles, and responsibilities for individuals utilizing PHI and ePHI. The data should be provided to the University HIPAA Privacy Officer and regularly reviewed to determine if the responsibilities of individuals utilizing PHI and ePHI have been clearly defined. Management Response: ASU agrees with this recommendation. As part of the annual communication plan, all Covered Entities will be asked to send an organization chart with roles and responsibilities related to PHI to the University Privacy Officer and Security Officer. Updates will be requested on an annual basis. Page 11 of 12 Arizona State University HIPAA Compliance Audit Report – Number 15-08 May 7, 2015 Distribution: Arizona Board of Regents Audit Committee Michael M. Crow, President Morgan R. Olsen, Executive Vice President, Treasurer and Chief Financial Officer Mark Searle, Deputy Provost, Chief of Staff and Professor José A. Cárdenas, Senior Vice President and General Counsel Lisa Loo, Deputy General Counsel Joanne Wamsley, Vice President for Finance Gordon Wishon, Chief Information Officer Tina Thorstenson, Assistant Vice President and Chief Information Security Officer, HIPAA Security Officer Aaron D. Krasnow, Assistant Vice President and Director, ASU Counseling Services, HIPAA Privacy Officer Benjamin Mitsuda, Associate General Counsel, General Counsel for HIPAA Compliance Page 12 of 12
